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PROBLEM TO BE SOLVED: To allow a card owner to easily access financing and other 
services by installing a monitor application on a master card, authenticating 
download of a new application and downloading the new application to the master 
card. 

SOLUTION: A card owner 24 selects one applet from an applet list. When a monitor 
application for the selected applet does not exist on a card 2, a new applet is 
downloaded from an applet server in an electronic customized depot 26. When the new 
monitor application is added to the card 2, it is initialized by plural necessary 
keys obtained from a security server in the depot 26. And, the selected applet is 
downloaded from the applet server and is installed by using a security mechanism of 
the monitor application and, e.g. a gatekeeper function. 
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[fg«« 2 3 ] mUMMTT y v 3 y^^ya- 

^ 3 y ixtmrro a ^ fc^^o- h 

S*JS2 2tJ:4*a. 

Hi-&ifcjwac. *-KBre*ic. #fii&osr«TT 

it8gl£J:*3ri£. 

[M*g 2 5 1 mmmnrnmrr y ^--^ 3 y 

MT7V*-i>'3yt:'kti. 

[ffl*«2 6] «EW>«W>6*ifc^9^-^-Ji. # 
- F8ftT#fc bV^XCJ: O-tJK- h $ 

tummrro-y-^ay. fiitfiiExv-ha-K 
vituayv^-ti^mw&^-^ty* 
9 t ixm^-rhmmrro a y<ryy%< 1 1- 20 
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fg$)a4 5 

U- ka s ^Q:< fc i>l>fc-o<9£r&TTy *--^a 

- von* y e ±wwsR*Tr y ^-v 

3 voytdhey*!— 9— • rry^-v-a y£4 vxl — 

-• TT'J^-S'3i'KJ: t K fcilX-VX^- • 77'J 

n- K £^IEtS JttfwOluE'f yx h-si^SlcHSff 
*>*tfc^& ; -e tT . iilEXv- b ? o 

M#R4 7(cJ:&3'X?a. 
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ft*Ja4 8tiS>'X7 1 A„ 

IS*«4 9fc«J:l > vX7 : -A. 
[ft#«5 1 ] fuE*-?- 

a*S4 8tiS^Xf-A. 

>y h . y-^-teXV*--?- - Try ^-^ a > ■ -9- 



ffi#JS5 3£J:6i'XTA. 
[ H*JB 5 5 ] IffESi«77 'J^ 3 yJ^yn- 

-fcil«H-S3g#£«lx.6. 
ffl*3S5 2t<J:2.yXfA. 

[000 1] 

[Kaassfc^axy^ruyx] #aiiBfi. 199 

10 8^3fl3 0BitiB^*B^IWRa3eig6 0/079. 

8 0 3^tf>©5fctS£ff:£-rS. 
[0002] 

U JgCPIBtfcL 2otLh^X-7-h*-H«|g^Jt 

- hit- b'fflwrr y r-i/ a y^'mthumn £V 

[0003] 

T<0T-?£3h7>y?±K§ik££fca J "e§6. K# 

[0004] 04i.{f. 80 5 l*tt±6 8 0 SiOid^ 
8b* ■ 7>f ?arD-fe7tJ77Xf 7?*-Kt 

30 fc. 0Hi.Jf 1*^2K(^)E2 PROM0mt>tvrza&&& 
[0005] £*StW -y y / H*- FB, 2^>JjLh 

tix^&. ^(oxd^^:<7mmizhtm^i. ism 

WXh^^TWSIfttt (backword compatibility)-^. 2 

v^T. f-yrcoSSl/'CV-i-CCiAirtSCifc-CfcS. 
f->y7*fc«7)*^i*Jffl^:fcov%-Clis &£r£Wffl&S 
*>\ *-H^-yTg?fc3te^Wxh7-(r3SOll*iS:^ 

as L*»osati £ fc * j t-§ s . 

[0006] S'J^rt- HT1±. Sftl^ffifc^Sfeffitie** 
50 ^-K^RtTfeS^. ^-Fgm^afc^OfcDO 
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^lmmWrt (**6£h 8-1 Ocm (SSg) . it: 
HO. 5~lm (i&.ffilZAifc&f. h?*??*** 

ns^»A-ri.ie^J>i>*-HtJt«fc. 1/20 

K#^*^yx4k«&kfct -Iii.£> 

M-r-'ffi3£fcLTaj5tU:. 
[00 0 7] x^x^y^^Mai^/T ^-HJi. 
i!)-YrtW!&flzE* PROMtcvx^y^Sitfc^ 

[0008] xv-h^-h'ms^-c^^i:. \m\ 

9 7 0^tm^TJ>o7t. L*>U H-o-y^Sr^V^ 
•C. VkWrxk&ftX'ltm&'M a -y r-o«£!fS6 .1 fc 

flli-tf. ffiff^t'co^lBSRIiV I SA 
CASH-^MONDEXtfD.fcd&Xr-T-r-' -A'Da- 
• K (81RJ7 ,, J / Vf K#— K : stored value card 

s) >uvvy=m~cm&t®3mizwrLt:. % 
nxo&uu -y hwmmx-it. xyt-yxv*. 

W ( P O S ) !^X'<nlB5MRit:W)*%l><?>lz-f&tzit> 

[0009] h#- vmM^comm^M^x. 
xte^htf. xyt-y - Ay*- t-Ytrrv?* 
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Lm^Zki>tyt>irX't>&. Z.tM£kLX. %M<rM 

(oxv- f Ymwomzwmx'h s rru ^-s/ 
o±»f *tifmx-itt+ftx-t>&. 

[00 10] XV-htf-F*^ 197 0*£ftO* 

? ■ a-Yt^mmtix. w&-f&w*mY74 rt 

coXo%*>-Yli. *V74y- Yyy-ffis-iytiX 

xfznw&ktc-t* yyy - ^-Yizm&th-t**- 
wmz~?- Yt- Y<7)tmx-. xv- h*- Km#T 

[0011] ^«m^»££iS$&£Pi&t&.r fc« 



fvotf:.! fc . -e LT? i^'-/ F;5r- K^fiJffitf^&L 
t^oOii. X-?-Y*>-Yiz>ZmtZ 

WfifohfrtiX'hh. Java^-K ■ 7y?Y7*- 

io -t -?■ -r X'TT v-r-isa y ft&gt -r s — 

J&fc'ftSSitf .1 fc »K -£ d "tfitf k* ^ -H-<nk' 

(D#- YX'i>mm-& a ttfx-z h . 
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30 -Yi}-YmT7Vy-i/sy*W&rh-)i&&Xlfi' 
XxAi&S^tS.Ik-C&O. A-YJ>ftfi%tz. %~Y 
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[0017] x *)w%:z>imkmmi. $>mm 
40 mx-7-Yit-Ymrru ->■->- a yi: f smtt^mti 

[0018] *IKBOJtEW. -e LTffi^ IS. 

^ayfzMzx-7- Y ij- K-^ffffl^TT'J ^-^ a y 

i)- YmTTV Ir—is a ^ £ t gm-t&1iW;isXlfi<'Xf- 
50 AJr^ftL. t?9i.«f. XV-^-W-f^naye 



ya-H5-|2aE-rSifc. feitf. X-?-F#-F»v 
-F^&^fc. £-£tr. v-x^ao^&'v-F^xT 

7t*x-?-F#-F\ as*, ^sflsra^- 
7-7-/ h^^-Awfi^rffliiBa. • Try* 
-• Try a ytix v-f#-f±-c. r-f? 

-(arbiter). y—Fdr-v\* (gatekeeper). * •y-fe-> ? 
fX/t»ift (message dispatcher) k LTfSfflL. 

■ 77^-^3 771/7 F • 7UAM r£ 
J: >9f£f&$*LStfSter77^ >y FTJ) 0 . iixttrcm' 

±^<o^ yx b-^-S <I k *W®th . 

[0019] ^%mrmmw,zn^x . ■ r 

7yt-y3yli« SW^X^A-ftrtf' (el 

ectronic customization depot) <0«t d 
£>. mi^-^a^Sr^yP-HI"!)^ 
fcfcJ: >M yxh-ii^**. *<DT;Ktt. Tri^y F • 

cD-tfifc^^cOflStSSr^tf. • 77V*- 

^ 3 y«±. mi*. JBSTC^Vo-KSit. 
S^fiftWtiffi (automated teller machine : ATM) . 
BBgffiSS*. A"V3X aAJ81Pfi«S& (personal dig 
ital assistant: PDA) . TVWr-y F • h"/7- 
?X (TV set-top box) . ^y F7*y(land phone), 
■b^^ytcell phone). fi^^fVy *> (digital pho 
ne). ir-TVl/rVtf-y;?;* (cable TV box). «£TV 
*y;?X(satelite TV box). &&5giSKgg. IHgftfc 

assays, mm ■ #m&mm&k\ smprrv 
^xgwrntdruk-yvbh. ^-9- ■ 77V*- 

Kfcv^Tir^-a^^yn-FSfiS. w^ft^ii 
-tcioT. rryr-vay^ajSHtts 

Cl fc ti . fr&TT *)*r—i/-3 y 0)7*7 V n— F 5ri2E-T 
7 U a V t J: 0 , $ h £*ft£8t ^X * >v*l-V 

f^^ffflW^^- • 77V y-y a yci o . r 
7^-y 3 yiD (tw-) fcSflirry^-i'ay 

C0020] xmxrmis&i&t&^x . XV- F a- 
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i'Jx-f #-F@ftiig<Z>ID£. PUfcf. X 
V- F#- Y<D~?4 ?X33y\ZzL—?±0>77V T—is 
3>lz£t)lim?&ZkX'b&. Zni-otcWMi.. ffl 
i.t£#- FBftn&e>P I Nti 0 . nam 

ffy^.W&lT—'? (biometric data) X-%Ztl&. f£t 

«. mi.M. mccx^i-izx out? s*u a-ra 
^<nm&>£ o ztkimT-ftf. x?- f#- k± 
oajfSTyTV-FfcJt&Sft*. fsrry^-ya 

10 h K £ . «iJjr^<-TBK"t* c t x-b 



[oo2i] *%BBonM^®tfc^T. 

V *r—l/ a yj^ya- Y-$h1[7i/ a y 
Ws$fflT7V a y^U x h-#. ^- r--0rW*tc: 
20 mi&ttW7V tr-is a ytt#- H0r*#fc#iHaM 

Wftewwirry ^-^-a ySrJR^-r&+^^ / <- 

[0022] *mie>28jB®&fc&^X. it— 
Ji. ®IS'5:fr«r7' 'J^-ya y<9 y X h*> ^>ft«^ 

-Hrry^-^ayJrSlRL. ^x^<rmW7V 

ir-i/a y«. TTl' y r- • -^-A'-fcJ:^-^- ■ 
rry *r-i/a ymmco-^^iWii^vm^ 

yn-F£*is„ mm77V*>-~-i'3y\imceyvy 

n-HS^L*^ I^Siffil (AT 

M) . &^£3g*. nyay. fflAfflffiffiSS. tv<?) 
-b yh- F-yT-^y^X. 5yF7*y. -fe^7* 

y. r^;^*y. ^--y^Tv^y^x. smtv 
[0023] *iiBH«iitfeJBSttJ^-c. mm77 y ^ 

40 -v-aya^^JtJil^fflOiailSriltT^^yo-F 

Six. xv-h^-F^-f ^a^ytjL-^tM yx 
F-/^iii». ffftrry^-yayti. r 
ry^— ^ay^-b^jLyr-f - ^*-XA£fflv^T-< 
yxF-;i/Sii. fMrru^-^aVfcfct^-S/a 
fffflrry^-^ayji. *-f 

arry^-^sytt. x7-K*-K^?o3y 
50 tih. xv-f^-f • w^xhy«03t:-»i^ii«re 
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— x 3 yffl<O^V— x a "h/kr— ? (operational dat 
a)<7)3e-£ffiVVCMSr$*l&, «i«r7-'J^-^3y 

770 Ir-is 3 yizx zmfettotfdmmgtitfici&ico 

[0024] *mmW£h BW. fWSL. <ktf$rffl& 
fHH±, HWMM^WIKSt^Mu 4fc-»ttia 10 

[0025] 

[BM&iMn x-?-b*~ Ym^M.-mmm^mx 

K^»i^J:*«ltJ£3;*MfflfflfcL JMH&OSnx 
Y=7A 7ij- K#»0 - 1 5 KA'/tf - K . -/ 
7 ■ Ktftt2 . 5 0 Y)V. ZWm^A 7*) >y YA 
- HaWB 3 Y)V/ij— r-\ X *f < >y 7 ZW&m- -/7 20 

• ^-h*^»4 • imm&t&i-Yim 

7Y)U/*-Y-?t>h. 

[0026] *^HB<0|U©B®W7t46c0^a»|g^ y 7 

■ n-Y(o)3t5X^ffy^zixYm^m9 Yt\sx-s> 
s . 1 2 wj a»£ i 8 * Ji»fc?- ? rjas^-a 1 2 fg 

ilj (Moore's law) »i. ^BSt^-Ktf^fr'lSiafc 

fc t> CfticT^ CI i: LT VM> . 
[0027] #?6^D|IS6^!gfc:&v >T , m%m$: iti 30 
CMIl^v- YA- Yit 2r>V)±<r>77V tr-Ssa 
y*WfriZbtf-C$. *-Ymm.£$\M77V5-- 

=y 3 v <r>A >x y -)vz*rx- vc%h. zmsmx-? 

-Y*-Y<D77Vl-~i/ayffifcM&. Wlti. 9\s 
i?-v K -ft y K XY7—Y ■ s<V3.-<r>£o%:3Cil. 

v«tw**4*i6. 2mmmx~?-Y*>-YcmcD®m 

xcDJtabOT^-feX*-. tlA^n? -/k #±^IE 

(demographic)t>J;tf»^, tmt 

^xy^'y. t5XVv4TV"r4 7n7'7J>t?-Xy 

m^-yy-^y^y-n^^ttit. 

[0028] *mkOg£®&Mtz}5^X , Try ^-x 

- h a - h <ina^ t <sstt£ t os^iis a £ 

£6. Java#-K ■ 7=7 f Y7*— A<7> J: 3 frX"? 

-h#-F • Ayyy - 77-v Yy*— Mi&W®ffiA 

-Ym%£*rx-YL^ *<nmm&. *-7yx\ m so 
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mfex-h*). ^yr^T^y h^-Atflaf-e-r. * 

l/C. J2^&TO:/7V<7y<.-x£l$o. 
[00293 *^BJ<0||^©(cti^T. £«8flSfcJ: 
If^ami ^"-^3 y • X-7- r-#- Yt^oHM 
ti. W£hy)\^7<nMz\±m%hWk*ft'yZ.tti i & 
BZtlh. tomtit. m^b7707--^ay^M 

Lxmztih . ®m±mmn y*7 yx-$> 0 » 

T7 u *r-is a yim&nmifolztoV h 3 y-feT 

YvM<n$mttX'&h. mm. ^mi(pures)^ 

tz\txY7-Y • Ayi-tt«&C*»), flu*. «i 

If. VISA CASH*5ttiMONDEX<7)|fft{ir 
fcV*3jST\ #^TS>S. 0?X»f. V i s aOT I S 

t>ffif$.2ti&. fe->x. %mmmx-?-Y#-Yit. m 

i\£. X^-Y*-Ym&(D2l&±. ft^xmrniz 
4 yxY-fVZti&ibK ittmmWzvt-YZtil. 
77 D r- is 3 y <r> 2 oULhSrS 9 ^c&w&Miat&fj 

-YtLX%mZtl&. 

[0030] *^coHi^ffl[ttJV^T. J£®5:7-7 y 
Y7* — A ■ Xh^7 i > ; * I S*^3g^-Caffl^'C. * 

7<ny*j>n— Yt7v 77v- Yimmzfrtct & . 

-etifcioT^f yxy^'xyxoiosratg^i:. 
s^x^<J!>v»fc6ki*lc4«)[«*i*. mt\f. 77V 

l^>y Kelectronic wallet)fD<J: 5=5:. Sg** 1 ^^— H 
J:d=5rS3&^igiT'C7)^L(perspective)t;i'). 4= 

[0031] *5KBcolUt^®tfc^T. ^B*r^r 
r^--/ 3 y- -fyrw-ht^li^iSWTry^- 

v 3 y(generic application)!;*. &{kZttfz77V ? 

-^ayZfchko&mztihfiK itzitsmtpti 
h. ry7v-Y\t. mwaz%%tzL. ttxtMtz 
wzu iasiffltt£{£5iH-i>. wmmzMm&n 
mm£®A,x'^x. wm i W£Mm~ s i&iz-?h. ^<r> 

WMXli.. EMVgipwS?Sttfl:<±Kff<OTb'>y Yt7 
VV~/ Y(0®mizXY7-Y ■ A'J ju-SrSiairtS. Wi 
Xl-Ytf-Yti&J*. •fe*A7-xi/?M3- 
•y^ • h^yif^i^a >" (Secure Electronic Transact 
ion ( SET) ) 'MRDAftfcifcCJ: 0. 

-TSOttfoT. f-yrm^nv-xcobVsyS-^S 
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[0032] *JMHWSHBWifc*^"C . MHi. i]- 
F • 77* 'J 3 y • 7*7 -y F 7 *— Atf^&fciJl^ 

T±s^^fC'*s3-^-if* { *s. znzo+cm 

^ 3 y • Avt^tvBVX'h*). **Ui. Mitf. * 
— f • 77^-^3 ytffflSfc&Et^tc'f 

?F^££i£^fiEK^S*#-*-k££tf. i>oUb 
-?0)ft¥Hi*y ■ #-FT<077*y r~-is3 > ■ A y* 

y ^-^a yfc*7 • a- fttu ^-^a yfflnmk 

ttAVfvVi'vVttX— Y^htdh<r>^ ZLXftM 
tf. 

[0 0 3 3]#?fcHJic9l£jS^fcfcVvC. 
§>9gtttf~>7 ■ *~ Ktt. fr«T7-y ^-i^ 3 vjfcff 
acD^yn-Ffc^Sfc-TS^y • #-F • A 

• -w?- f £%-r & . a- Fasgsff siifca-c^- f ■ 
rry^-^ayi^iJDifciiBfisSiiswr. -e*ui 

tif££ ^K-ts Tar-*?? 

Ay?#-F(Bankcard)-^7M#-F(C 
iticarcDOia^y^-VByx yT*- tf-FliS&W 
(C. flJi.Bfi'-r-f Ay? (Citibank) 6Di d&^MH&RkO 

itm<oQm)W%c?>—&t vx. mzif. xf7-f ■ 

Ay j. — (flif&v>) » rt'yh (JS&^> . 71^-yF 
(&&W v tJitfCiticard (ATM7?-bX) 2:, ^ 
^Srt/cCffiO-t-h'Xt^-TI) y l^-5/a y^-yT* 

• t-VZ&fflmiZ&fcrh. Ht. Bankcard tf>± 

Wi 'J U-^a yi' •/Tffy^t LX 

i/ayy'/r*. 0«X{f. BankcardffltCj£(fOO. S£> 

[0034] *%0B<OHiS^©tct5^T . ZmBkt&A v 
-F#-FfcL ^BS&^-r-Ftf-FOi^gttfc^ 

I). *7h. G SM7ty (GSM phone) % -Jr— 

77K WebTVfafc^&S^&MI&tiwOfc^'e^: 
T<0lR^f-^*^fc7:7*X^&<0fc<£JB£*i.&. -5-^ 

i o %m.mz x o . f^- Ha. rag 

[0035] *%HHc7)||S0B©tciJ^T . ^fiflliExv 
-F#-Fti, nysot.— •efcb'v^xwxi'^ hn- 



• (lfflffiflX'7l) Citibank <T)£o%: 

■mz>. fcv>3*)t>. £mm<?)3Tt'i;*x^ mm 
(Kyi-) nimot ov^-<o^ii, fcitx^u^' 

[0036] 3|E»HB«0|liB»®^tJ^T, ^SSfigxv 

^. -e^ia^-Kti^y^A-^t^^ffifi (a 

^£'^ : 3r<T§. 3 y ^ j. JiffiStc&Si^HttKW- 
§ x ay^a-ViWiAfi^^^-^'f^-r*^^ 

(flA.wallets) fcBNW"4*-H*5l«flr<-*-4ii:36 f 

■c#. Pit^-H^ffifflLT. -aorry^r-^ay 

l^^^Tyh-Cfcl.. ^-H±fcflMl36 t 4"t*t1td' 

^l«BI{i3y^ J L--7tc. #-K±<9*<7>#*S: 
ffiffi^A.y^T-y^-S#a^SttL, -entci-^T^ 

[0037] ^.^mcoms&mitza^x. zcoxo** 
-viz* vwrnzs-t hixhi&chmmtfmcvmx' 
bh. ii-Y±iz'mzmttht^o?y*TV\±. 

40 A^t'j>& . zwrnfi- vm%?>yA ± 5 v 

r^yn-FtttciO. 3yy A -7ll <IA<0S*fc 
#Mzm^XT7V r-is a y 2rSS?-tS - 1 11Z&. 

[0038] #26BHc7)SiSe$g»i:. Jg**'t4t^*^. 
50 til, *-Fj5r***WMSftT 
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[oo39] xftwemimmizte^x . ismm& 

^^^^^^^^^^(depot). BX#(acquis 
ition)fc*-H'gSI>'XTA. ^ar^XrA^D-f y7 

• 3V-*S#T'tt£ffl8fiUv-F#-F 

H^to^y^^^^ayCtO*— F - rr'J^yaV 

F • 4 V 7 yft<Dmm.cDWi. -e LT* y h 20 
V— 7 ■ 4y77rt^0r'£^?7 r r£&£. 
[0040] *f|HBc7)|ISfeJgS{c;fc^T . *- F ■ -< > 

■ 4 y?— 7x-x££fOi:fct>fc. Java* 
-F ■ 4 y7yl,z£*)ffl8&tLZ>£o%*tX-V ■ 9v 

^F^SidtC-fSfcabC, yXfAll Java* 
-F • AVJytoi.ott—Y- f y77flfc. fcitf 30 
Jg^fcte^yFV-? • y^fA»tI^)t:. "fSbm 

^^s^-F^agaBUb^^'fT-wsax^&c: 

fc*>"C^S«i:'+^^V7;l'T*5. Mttf. It^ 
tto-<-\"jT--f3g*tt, £ftO£j£<-tSJ-5XF7- 
F • a'iJi- • #—F£fslffi Silt A^-fedfi 
T ■ T:?-feX • Tr'J^yayii m^f-^ y FOv-* 
— F ■ T9*xmmX'®< . *-y -AWy- 
V^HCiJV>T. ^-/F"7-^ • ^^7511 ^&<7>T 40 

-F5rlW-F-tS. 

[0041] ^f&^OlW&^ffiitCfcv >T , Java*- 
F • 7*7 «y h 7 * — d =3:*— F • 7*7-y F7*- 
Ali, X-?-F*-F • ■iyymWmtLXrtSL&i 
Ifet-T. Java*-H'777h7*-A«J:o^ 
-F ■ 7*7 y F7*-A(i, XV-F*-Fffl?M V7 
7fcLT, *-F±fc3g*<7«JrC. TTy^-S/aV 
cDfflffilfflSriiJS.-tS J: 3 £.mtZtlh . f*ffc, J a v 50 



#^1 1-345266 
1 6 

a*-Ffflfc^3*l£XV-F*-F • rrUT--^ 
3 y'i, J a v aA— f-vrt^S/y (JVM) tJav 
a ? • 54 7*7 U SlhJf- F^SfflfUO*- F±T* 
t^di:*^. *-Kfc3iJrre*4. Plfilt. JB* 
T'OffiSI/fl'i. *<OS85fc*'. fl63gT*Java*-F • 

X— y'xVh^/ilJt-t'T. - 7*O^MrS:J*-5-CV^ 

ft*. *«9J:5:S^Ss-m, iS&s^y*'- 

[0042] ^mfogffi&WlZ , t'X 
■ 7y\)7~— va^li. {^X'JSchlumberger's Cyberfl 
ex LTKfl-S*ifc*», *»**fc<TTy 

^r-ygyll Java*-F2. OttfilOi: ^i** 
ttXV-F*-F • 7-7-y F7*-ASrWfflLTV^. 
Cl<-)777h7*-All *<0J: 3 FSi 
«co|g*&4E-rS t fc i> fc> FIfetTafc'OJ: d K 

scotffiffl-rs. *-f • y7 7^s^5t^ss 

JtrT'Jy'-vaylB^S-nritjt-rS. JavaT^-y 
F7*— A«i^^r-^<0T7 y F7*-Att. g=5:& 

h. fflSimb&t. -?-<7)j:d=5:Javar5>yF7* 
— Al±, B^Xif. Java JDK, personalJava, embedded J 
ava, Java toallet^ Java card, picoJava iiSAsX^ 

[0043] ^mmmsmnz^x. =tvtv- f 
mmcr> x o u t--^ 3 y&gmfrhonz-m. 

r u t--^ 3 y • ^-s^a ymm-f&z ttfx* 
&xb&. f-yru-hn. y^y^HT^fyf-^T 

yru~hii^MTTV7'-^B yi:i(mthmxm& 

■c, i»w--f'>A'*fi»ts. i»wtrryir-5/a>- 

-*aer7°y7--v3y5ratL-cs«)/v:<)W& 
h. fyrv-v\t. yyA^-^-yvommz^ 

T7Vir-isayfflcomsmmZ®%l l Zi-&. 
{flttf. MASTER CARD/MONDEX, 
VISA, &£V EUROPAYZmmLXm-HW; 

x®«-xy4y- xft-f - Ay • rr»J7- 

[0044] ^^^i^SSgffitfcv^T, m#Effl"^T 

7-y 7--5^a y ■ fy/whoi oa«rTy^-v 

a y(i, WtTTV T-v a ySrffofrf 6£#>t3iai$ 

*^JiS«^itT|ii<i>ii, *-f • rryr- 
>- 3 y ■ i^^u-c-ffl5j!iffls-^j£-rs. *-f • 77-y 
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f&fcz^mizi. msMRm*imf&. rn-bx* 

&%lZ-thtZ.ib. Smart Card Special Interest Groups 

flr££K><. .KOft^li. I ATA Smart Card Subcommittee 
k Airline ICC £ffl5&t6 I ATA Resolution 791 (O 

[0045] ^m^mmwAza^x , ^fcfflsi 1 
h. z.<m*)x\*. EMvmmtmimmztix. m- 

©ft' vYk9V : Jy r-«*»VX F 7- F • 

*f«rrs. ioikti. Hitf. visa, prot 
on. iJit/ffiwxhr-H • 2--m&jm&t& 

Hat. SETgsptt. l^*9tSi-St:o^T. 

Tlgi^nv—X (chip-electronic commerce) CO a V 

[0046] *JMK>%fGR!ll£ft . ffl23»B£g : 

Sffi<0g*f±. Microsoft <0PC/S 

CfcNCIcOtf-Tytf-F ■ (Open C 

ard Framework (OCF) ) T&S. MUZ. &fflffiffl 
fct. <fcffittGSMi:-fe>y F - h^T - ^7?X<0yXf 

■ Tf^^xm-m-tm^^z^m^^x^h. z\u 

f • hvT Xvtxtizxiomiztix^x. 

x^Afcrry^-^aycBiix.. {K^fyf-f 

F#. a^^tfW-SHilfiiWi-f yf-Z- yhV-t' 
x^<077-bx£ a y F o— )VLX . 
. [0047] *%BflC0H^ffiCfcV^T. 

— *»/ hk^U? ho— vf ■ 37- -XCOBWfcOftffi'? 
-^■yFfcL -b* All^-fi^ffikV^I^S^tS 

?T& 3 7ttot. • "C-XeoMJ F 7 y^f-7 ^ a 

• h^yif^va^ (SET) tt. *:fl@tis£xi^F 

£"Cli. tEBBS(certificate)*>*SET7*o-feXCD@^" 

<v&ftX'$>&. ztLt>aziyi'x.-'?mcDPCizfeth2 

iih. ^i'jf^sir-rtiif. m&ziz\mfm 

&Xtotfz<nT7v—^e>X&X'fo&. fto-c. mi 
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[0048] *m\c?>mmmi,zis^x . xv- f#- 

■fScoi: 13 I < J: 0 t=. ffli tiBWrt 

AX mi K7\M F) fc. HgcOaEHJleOTtabt^IETn 

Atmmmtmitth 1 1 hiztmztiz „ imt l 
x. wm^pciznttittx. ukit-fztiztia 
tcoryj^-h^-tJi-vizimisit&zk^m 

[0049] *%fflcomti&&M lz J3 V >T „ Hfg-r h Z. k 

^*-XA(i, P I N5:ffiffl-rSifcf*l>. L*»U. 
P I #^X2*{Jfif?8^tBEttfc^-^T 0 . t L 
Ztdfi&btuz*). &£tuz*). &sv^±^-F0r^r# 

o^"3*-F53r^Oif*«l8a^^^7-V'-F*±^ V 

fcim^i-U A^OfflAMSS'JS^^-F^^ifcJl 
gtLTilV'k. ^-F±-CiOT-^rW-FJt^<OftbO 
fc. £SM±. *-Fk3Sg5RHr«l«StLS. uni.-c. 2 

[0050] *%BBcoHte^©{:te^T. X~?- YX- 
F«. iiffl^ixSF^yif^^gy^^t. r^-fA 

ISBLT^i. :Wi. n&^fc (DESJli^itli 
RSA^^r-^-Xt-rS) fc^aE(x^^^ 
^it«ftS) ZmiXmiZtlh. RSA^df-Sf^ 

(Chinese Remainder Theorem) (CRT) £0 J: 3=5:8 

t. w\mm^m (eco <>. sv^-st-i^^) 

-fe^^Ux-f^Mft-rS. 5SBWfctt» IH^8h'-yF<7) 
XV-F*-Ffe«t'tt^<. «itfl6tyh, 
«3 2h' y F<7)RI SCra-b /^ffifflLT. *-F 

[0051] ISSvWX YyJTt. tiW*V n y 
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-HW- h—7>tMM2ti&. MIX. ffi«(i. 
ii- YlX-y r A y^K* tfc 0 . as^tfe* 1 )-*-* fc*> 
fc. P 1 NA*^4*WW«ttW. «*=rB*7*-fe 

[0052] im^^mmwzn^x . xv- y 

BKn-Kfc£lW* (t-?£MAC1-&) ifcfcJ: 
Mzt-Y^fVyv-YZtih. «itf. et«>*F 

[00531 4&Qa9GMB&&£ v vc . xv- h 20 
TO. #-FiWWf*ftfc«l=. fr«T7-'J^-vay 

t5it/*-F*^^-^^ii^Ty To- Ft U« 
6. Citibank ffiXo^-YMf^^tzibiZ. Ztl 

a. «itf. V7b^xror>yr^u-K. Starr 

Z.tl\t.m^hC\k\Zfrfr&Y-?>V3XY<ry8^ 30 

[0054] *%BB<OHSBg@tiJ^T«. %<(Dj)r- 
rfy^tf-F - rry*-5'H>TWtft*IVOV&* s . 

S. Witf. ft'-vf. XFr-F- A»J 

7ry'Jf'( ■ T^-feX, F7-? 40 

[0055] imwmmmz&^x . rry ^-^ 



20 

x^A-fk^Tsrigt-rs^tWffl^^. warry*-- 

YnWTT Vir-isa V<nt&><r> . fAr-TlCft-tX 

at. iilra^iJUlSKxv-h^-K^o^trry 

[00561 *5KflOHSBg@ti>^T. X Fr-F ■ 

Alia- rr^-vayit Jf75-f vwsrcsA 
3m-<o#&£ig*-r&. i&orry^-^ayttit 

7fflWft'7 F. ^U^'y K i}«fctfXF7-F - ^'J 

xl^Fo^y? - 37 

-x^tona^t^^-f-v^a^t^ia^itSLfc l 

MIX. ffi^D-XK-mv« (A-^HB*) 

it. mitt. VH-'Tvbtwftb-ty (^xtj*^ 
(oimwimt lx ) . tsxiff—m-? ■ y-9 

y (GameWorks tSXlf Disneyland c7)J: ^BtfcXV 

b<m<m) hmmiz^ x-7-b*-YzmLx38Lh 
tlh. 

[0057] ^m^<nmm%\za\ivc. mt&ttti 

ay^^£0^t\t. Milt. 2m<VffiZttm7n 

nm. x&rf. *>-Yt. *y?v7 ; f<y73m&*L 

\$*r-*-h<?M(r>W5WSLX'foZ>. PIN. itiim 
&<7>Xo%'W X ■ "fyyv—YffMXij—Y^^ 

TJ^yTiTizmtrt-m. zv-b*-Yit. m 
•rs. mmit. ^rv-h^&r/i^yxi^ mi 
[0058] ^^^mm^miza^x. uttiv*- 

xv- b^- HJi. fi!H?iiS h y y*f? * a y^wiffi 

Wr^'Jf'* T?*.x<nfz#><r>. ZLXX—f-v 
;pa^TW*-/ by-^ • T^HrXfcE • 3V-X • h 
7>if^^3 y<7)1zV><7). ffljrtTir-btt—t LXM 
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[0059] *^«i«0|lifeJg®tfcV^T . XV- I- 

j£3^if*tf>1fi#£ it- H £telfrc£ & . irai/t . n y 
[0060] ^EfKRmSBBSi^^T . h #- 

4 XT-<D«*«3^m-tT7-U a y#. 

[0061] *9MIKggftiR!BC&i . xv-hA- 
Fl±. S-'hSSlEffl »D>f -V'J 7M #4 y h 

ymmt&z t c * *) . m^k-Mmmcomiz-? 

4 vb«o^^Mt^tf7^^y^:S:^3 -y try 

vx-rmm. a-FBrarsiatflw-*. mix. 
*&m±. &t><?>®Mzwmhi><r>*i&?z> 
mm (scrip) srntf -t h z t #-e# h . 
[0062] ^mmmmiza^x . fjwwt 

Z t tfX'Z h . mz.lf . *- FBHT*±«t: b*> 
-b7b-b77-^7n, fed: 

f-^+A'twcv rt-vi-ti>ttmjw&izmt®zti&. 
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[ 0 0 6 3 ] ^ T\ ®ft£O0iii^Hj»$^TV^*% 

x-cryr-^fi+vte. ^-H2*^3S*4^. yny 

T , fflmizitrt"/ ? -xy F • 1 0 i-C^K 

X-<r>f*-x\L ^xrA<ofi5^r^ffi-ej>0, -fe^jt-'j 

tmmt<vm&*fm;-r&zti>x'zz>. mm. z<r> 

D-r-f**. m&i)*t>mU%ti&£oiz. t>&MiM>m 
izft&XdizmZtiX^h. 
[0064] W.izm 1 £#8&t& t . ffl*^ffl*T'^)T 

-h^-H2, JS*4. 7oyh-xyK6. ^vYV 
-*8. fcitX. >»N* y * ■ xyH • 0^'*) 
*-HI6ff*{i. A-H2tA^ ■ xy H • ih- 

A-i o^M^rc-fe^fj-i'x'f^^^ffiWt^yba 
-^-rs. ssg*4t>itf6h^-/ vy-vztamm 
zx-iiK^tttzti. mv^&M^^^xmytih, 

-fyxU^'xyxtJinaigTJtt^xxA^lct^ 
t&ZtiX^h. T7V*-is*y<r>--tt&fc\sx. 

[0065] *^B<7)H^ffi^tJ^T. IE®«^V^ 
?7>fTyhi:l/Cfil!3XV-h#-K2l;L 

«k 3 ^M«snt %<nm&twm<^wmi^zxz. 

}dxVk.VV—i'*>i'v7-1l—YX'hh. ZtlZM 

t^yo-HlgTJ^I^-h-ri.. 

h 7t-A(0(WJ a v a*- VX'h 0 . - 

»/ hy *-Mz&v&mmffigcoy-y7)i'Z*ti- j r- 

Pg®SPg^gflW-&. Ptefcr. Mondex iOMULTOS 
J ( JVM) 1 6(2. »W*>*-7yWvffta>-;frc7)# 
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-F • it^V-f- 4 /? ■ l/Xfl* 1 A<n±izmr>x^ 
h. 

[0066] *$w\<7mmmx'<?>. ttv ■•/ f t v^d 

F»Tfire&3>X'?-F#-F • TT'J^-S'gySrSi* 

^i\.h<Oi:'m<tdhliZ.fU F=J-FtgaE(bytecodever 
ificationJ&Sft-t-g.ifctiO. jlff^tiiln-fe^A 

JVM16ti'3«fS?$ni.. JVM*16*>±fc*S 
<7)»J. 3S^^ 5X ■ 77 U 1 8T'* 0 . J a v a# 
-F ■ mi^-vayiSrfflfg-r&'f>'^-7x-xS: 

mrcofcivrry^-xa vrnM^vrv-v i o 
4 fvvx'hz. *K lt. ffifl«-H ■ Try 

*JtCT7*y t-ya y2 2* { J>6. 
[0067] ^jfcHjJwHiUBffifcfcV vc „ S*tf)SiS3fcfc 
7?-bXgg4te, XV-F^-F >(^-7i-X 
£j$0„ ^^tiATM, POSSg*. (X?yF7o 

^^ttspc. fflAfflff^as (pda> .t7h-b 

T >y 7 ?V- F § tlX j^-A ^X^^A^aSt* & <* 
dfc. #-F 2 kffi*4 t<Dfflc?>-foC0T-*7-7'}-* 
£Jg*t&. PUJf. PC±fc&i>j&\ ^Jtli^yFV 
-tUzVfficthnFf-Vl"/ FfcL i&vv?— t'XiiJ: 

h. X7-h*-H2ll VVyF^gSgMfciSSiUt 

tf„ XV-F#-F2te7WF<9ligW^fcLTjI 

F 2 fc^Sfu -^rc«Ui«*4 * 
•CcM yf 'J s Jx. yxcoftffcte, .TO J: 5 %miBi£X 
[0068] **Pfe>ISiiaRWctNvC . 

fcf. ^-F2*^Ji^^-^'-±tS5.JStt^«lf(i 
ffi?gtf)tt©fc it- F 2 C0S4$llSt*V^T:^$iiS . 



3) ^¥1 1-345266 

24 

X nriETJ) £ . f -*\ F 5 >if 7 a y+ 1®<0 

jgLfcV^#ai-|.«iJlT'{i, XV-F^-F • 
•r^f-v^-e^i^^^T-n-feX^^lt-r^. ih- 

[0069] ^m^wsm^a^x . tt-v2im 

&JIHi8Sfc^-^ •/ FM8iMbSr^eW6 . Ztlii*- F 
^^•y-Sdt^y^a-VCOg^F yTOlAfcOt 

m^ttiit^mmm f u ) fflx^^-t- 

f fcBs^stu m^miMjEx-hzz t 
[0070] ^^m^mmza^x. 7o>-f • x 

VF • vXxA6<i, SiS*4fc^S7a>'F -xyFfc 
L-CfiJffl-tl.. -e^SSllW^filUi. iS8*4t^'-/^ • 
iy F • "9-— A- 1 Oigo);* >y • To F 
S^ffiRSrSft-f&Clfc-e&S. -e-ixti. X-7-F*- 
F5rfti.S3g*4* J >'N'-/^ ■ xy K ■ ■ «f 

A (back-end legacy system) 1 0 £ttL F5 yX^TU 
10 y FT'&S i 3 * -y FV— ^ flSS^T'S HA">xr 

twzy- f >>x-r coan5r«)t-ri t * -y f 

s^s. mm. -fy^-*-yF. PLU 

Ci r rus> StarSr^. MHi. 
C i t i share^M. 
[0071] ^^HBwH^ffitfc^T. #H^-t'X 
WaTiL ■ xy F • 0^'fiSLk^af 
cotSfgSraa . r>A>«A'./? • xyF • -t— b'xtt. 
10 iEBBSK (Certificate Authority) (CA) . n=F# 
X^A-fk-r^(Electronic Customization Depot) (EC 
D ) . ®?fi&0(Electronic Deposit Box) (ED 
B) . « : f^S(Electronic Vault) (EV) & 

Zmfeth ZttfX'% & . !$£<7>-t-t'Xj±-eil£<7)« 

mtzm^imt,z3mzti&. zasusub<^^-t'x 

50 1 0 CI b tfXZ h . 
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[0072] *%pm$3B&mi l zt5^x . wmm ( c 

A) limfiE^S»t7tJt®3*Tfcl>. z<owfflim%. 
I£5§|£. fcilM V9-*v f±-c&»*-*-x0>f 

^i7-xi/7ho^? • h^^if^v 
a y ( SET ) ^lx-v' a 54«WK-X'C** . i 
Oiofc. CAfcL #3fcWfc-fe*.x7 ■ F^yif^g 
y ■ 7n^*c7Mtlfcl> : F*IX&-U-ftt*c&„ MM. 
fflit. &hnW&tn4>9J9 is 

[0073] 4&W3£f£BJR£&»T. V¥-#X9J» 
ftrdfll, 77k >y F £iUn Lfc OfflBfc Lfc 0 LX . W 

f • y-rt-sw*-?- ■ T7Vtr-is 

g y . -tfwN'-fc LTfiSId . TTV-t F • -ir-^'-k 

-FaEMUBov-xra*. • rry*- 

fc^yn-F'-r 5. n-K*-tt. «i 

[0074] *K9iasacBjii&£tvc . w&mw? 

-9 v hSr^»"C. 

J^-^ktanx.. ffl*<om^K£S<i#Wg<9#-t t 

2<0V7F»7X7?3ESUt£fL-O , >£. ^cOio^rSW 

[0075] *%BHcoHSS^©^iJ^T. x ? 

ygy£lhK— Ft~£fc#>fc. 7ry'Jf^i!*ft?ft 
x-7-h*-K2±t*-H ■ rruir-i/aytaK 

J>S. o%7r is Vf- J \Z. #-F • 

? 7 9 *s 3 >"fl> ^ k £*J1E fT4 ;* * -XAX$> h . 
iiJnco-e^i^^^rv-'J^-fJi. • #-F • T7 
'J^-i^yk*? ■ *-F ■ rru^-s/g-yfcoH 

ihK-h-rs^^-XAcoj;^^^ - #-f • 77 1» 
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77!) ^- g y«77u -/Ft wftihz. ttf^w 
ti^lzmt. XV- F*- F 2*\4 yx b-lUZixtlT 

7 u-Aco^rru 3 ykiffittz t » 
$vM8i6]#s>9. ft* t -»t, <e*i&«i77u«yFkffc£ 

[0076] xm&mimmzh^x. x-?-f#- 

F ■ T/n-yaV • 75 k F7*-A»i, 2o<^ 

X7Afl§)£»0. -fe^f jt-'J-r-f t$Z£m:m&-f& - 
k. fiBStt«0j>S^^-XA^#t4T7l^-/ 

F«i8ttr^-bXSrflF$it, ^LTCI^r^-feXti, T 

4f a U f ^ B&AWi: $ ill. - k ^Hft^S fc«>fc , f) 

— F - T7U^-^3y - 75-y F7*-A{i^o*V) 
a^SrS^Sr-tA, 3*>2o#. rr'J^- 
ygykt— ^— • T7'Vtr-i'3yX't>?>. Wfc&i' 
XfA ■ 771/7 Ft L/C. ■ 77'jy-ya 

F ■ -»>--b'X$:gftt, *-F2tCT7W>y F 

>f yx F c: k . ?v-rt)V ■ r- ^ *>*-V 

^Ht-rs k k t tmaj-r^ k . *- a ? ■ <m 

m$ -»hJf- F-T 4 r k . &T7U «y F fcRaWtt 
^tlfc^E— 9— ■ 77 D 3 y<7)V y 7^Jtlfifi"S 

£k££tr. 

' [0077] *5KBcoie5BgStc:t5V^-C . yXfAtt, 
fficOT7l^ y F • 7d^ 0a%2ix^r7l- -/ 
Fk. ^M«SaJ»«77V>y Fk^tr. ^<0«td 
fc, *-F ■ T7'J^-^3y • 757 F7*- 

%Wl<o7v'U yis>t><rrr7\s~> f ensure l*^^? 
<7>>f yxF-z^-t^-F-rs. T7W-/FO. SlS^r 
yx F-;l/5r^- F-tS/^Cs ^UlSIUi*-^ 

- • rrv-y-^a y*tiffi?h. 

-y 3 y|i. 77W F ■ 7oA^rt<fcO«*&$ix4 
m&T7Uv h?b&. ■ TT'J^a 

) yji, 7o^M rwtAko^/c«i^:<?)r7V' y F^>f 
yxF-/P£:3yFo-^-r&. *-H±fctt*KWE 
■ 77'J^"-^3y* { J>0#S. • T 

7'J ^-v a yfcL #— <077V •/ F ■ 7nA>( /c^Tt 
*tPtt-<0Bffil«$r^31-tl.. Bf^^^-XAk^E— 

FcoW^x y^kHf-^S^Sr'SS-rS. 

f 2±<o : e— ^— ■ 77'J 5/ g y^-f yx 1 — >VL 
W&tth - k fcL 7n^ ^<0T7l^ -/ F wmgcV 
50 ■> y o- F $:-»fTK- F f 4 Jt^t^^rXf -y 7T& 
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h. 

[00781 #||BJJ(?5iil^ffitoS0«tt^«J#- 
Y2± J ^(?>~?X?- • 77V y-xa y<?M yx 1 — ^ 

v-h^-K2±-C. T-b'?-. ;* 
•y-fe-^" • T^N'y^i: txmtth. *-Y±X<r) 
77V ^--yaVKT/'J ^-^a V^<F>Wfk<F>4 V 

vli/^A*. X-?-Y*r-Y2±X; 7-b'?-. * 1 
ft*. T-b'?-fcLT»*><. tAfcocorr'jy-i/ 

3 vtfmstz fab b . mta. a u 

^xxh5rfi6jt-rSiHif-x y^<0^»{^ 

ift-e& srru ^-^ 3 yc^s&s&#jt.^tfi£i'i& m 

■ 77V*— isa>*>Mt>tl&. *<T)£o 

VXtimxh . wf*itf)*§£-et> . U ?xx b- £ 
gi»t*3&»if"53W4. BimZMi%V3*077V ir~ 

[0 0 7 9] ■ TTVf-i'a ytfy-h*- 

yN--(oa$-rs«o*±. mt& . 77 V* 

3 yco^yo- H+tXr- H 2±'\*^ffi077" 
•J ^- 3 y o- H <D£ R6±-t SfcaVC 

lx. <m%mtkimw)®mzm?i-?&zktzz. 

0. ^yo-K$ii/v:rrU^-->'3>'*^ffiW : 5:V 

[0080] rr'j^-yavii #Ji.«£, 

fXA'7ftt L-Cffiffl-TS. * -y-fe-^' ■ f^'S-ff 
• ro-bX«fS^-CJ>S* { . 3S®5:. * ■ IV- 

■f-f y*0<#-XATS>9. «fc/,lf*— F* 

U r^O(success)j HSfciSi". ZoTfti^mfe. 
77V *—^a y\t TX^— (error) j * -y-fe— i^SrS 

oT<s*f. A-h^i^rrg^r-ya^ 

•yfe-^i*0^ttl.o ^cOTT'J^-^a 
y# ri7-j * «yfe-s*fcjI-f£"C\ ifcO-X-yfe— f 



) ftffl^l 1-345266 

28 

[00811 #lfeHJJ«HS0$S?) t, ? tAto^a^Sr^ 

BSJi. a- V2±izm^tifzmxv7v *r-^ a y 

( ID77 ,, Jy'-y3>') <0^>XF-^tfc4. ID 

TTuy-^ 3 y«. T-?<offlS£i8it6*:«>t, £ 

(place holder) tLX®mth. hh77V*-l/ 3 

ytfmmmmz-mt-tm. *<7)77V7-~s 3 
yjie^iaa'jfcfr^r^^saj-rSs ztx. id 

y«. ^-HEirW^iiSfflfflffitT^-bx-cSI.^ 

[0082] ^JlCDHSBBMfcfcV*-?: . t-^- • T 

a. Sifflcot-^- • rr»j ^-x a yo^y o- k 
sfctoKs • t-^- ■ rruy-^a y*^ * 

?*7>u-YZixtz%c*-9- ■ 77Vr- 

v 3 yii, ^iaaw^STT-W' >y h yn- h l 

^t-^- • mi^-v-a yWT7v~> vnwya 
^sfit:, rrvvYZwm-hTrvy-z'aytm 

^ (AID) ^O^ixfcTT^ yhcoy^ya-F 

yfc J: 99£3ft*itf%&&». 
[0083] H3«. H 1 tz^Zti&tim?)fflx£%M 

- r-#- K 2^5illt^yn- Y-ttro-txizmt 
) &3£zzmm&m&-r&7v-i-*-YX'h&. si 

vm&ztuz-v-t'xcomiRxy' v 3 . ^- r-'^ 

W#2 44«« 5j-r^3y^SS?LTfffiTTV yh^^ 
»>yo-h-rS. *-F2k*-HBPfT#2 4J±W*k 
i,. isXTJ±ipy^yv—Y(Qfzlib<?Mt>frCD77'U~/ 
hSa^SUK:. «|g*^i.^iTiatf^f>^\ S3 
T\ r-*m^*2 4 fctAkomKOR^Sr^-XtU 
50 tzt'iS*Xiz£')irX-h21xfz77l'"/y. tiXtfti 
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- Y 2±-C*llfflT# hX^-XUz^oXh^ 0 77V •/ 
[00 84]*^«OHiS^©{=fe^T. 77V vMC 

7Mt;3*vT:i>«J:v>. ^-ttT. tUAfcowrw b- 
i)K * - K 2±fc**f>f h-*Z1VC \^ib<DT 

$ts. *»t&977V >y ho y x b - few* 2 4 

KlSSc** . 77V y FSflWC*- FB>r*#2 4 *f-f 

(7)^aoi85^*)S. f^W^vKo*><^Wi. £77* 
V <y Ftf>£tt*M X. D- K 2±<ofiJfflWlgx^-x. 

fcf. — B.77V y WVXb- A^tlSt. -HlJiS 

[0085] ^mrnmmm^zn^x . s 5x\ 

m*#24{±. ig«3*I*:77V y r- • VZhfrbU 

w >y f ecd*-*- • rru a h 2±tc 

7X\ irSl*— ? — " 77" 1) dr—i/s yWij— Kfciifln 

2*1*:^ ^frffit-?- • TT'J ^-^g 
tih. S8X. rru^-s/H ****** 

iJ^S^aVOy-b*- ^HMfifc*flS«LT. SIR 

u .„ h . -y—rt-frtzy^yn-VZtiXJ VXY-)V 
Ztlh. *^W*X^A-ftiT^2 6rtc7)-fc^J. 

mmrv -y f . 

[0086] imWrmmWZ&^X . 77V >y Yifi 

3^,7- 7ry'Jr-f 2&frtMt>tih. 77V v 

«H3 0*^tix*. S10T\ *-HBFtT*UU- 
v 3 y 5/ *7V*fi*1hK- r--f $tM77V » 

m^zmmx^tih^-WMimoff)X'\i^: 



[0087] xmiommBizii^x. mmz-mm 

v hiP. te<977Vy h«Bf#t**^x^ FcDrtS 
Java^-FOid&XV-Ftf-F"!. 77V-yr- 

fc^'x?hM^!!!^wri/7 hfcisr?* 

X^flF-f. -<^)20c7)«*^*-Xix2rffl^Tffiffl 

20 Mitf. m^7/W7Ml o-f^r'Jx-f -rr 
P7f-t«o>fy^5?y3ycJ:0. itw^^yir^ 

o>f^'Jf-( ■ TTVt V ■ TxvW # 
•&7y?u>U ?frt><T)T?V -y h , 
*<4*>V ■ 77*1/7 htzZVM yfJf'sayiVBM 

■r&zttfxzh. z <m<mwm5Mm i &£*r*- 
[0088] ^miomismtzti^x . TTU -y b 

30 ^-F*^ff$tL^S, ^-F2±C^-7yo-F 
T'{±. fiat:>f >X h -frZiXh T~T\/ -y F tm*&» 

IS'i^^Tv^v^. frarri/ yh^WWrt- 

S77T/7 \-\zftVX&t>¥ffii£$hk. ff*tri> 

40 T7-U yF«. **>J»3ftfctAfcoafcli«0>*7 

*. 

[0089] *5rfeBB«0lUS»©tfc^-C, «*$tL^:>r 
ii. %M#—T4Ty (guardian) ^\C^m^7^^ 

gm^tifz (guard) J>*tAkotfcl±1ga<^tiS^ 
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i/^9Y(T)^f,z1^fhoyYu—)Vi:W^L. Ztitz 

h i><Wtm$titt7^x 7 Y ■ 7 r 9 Y 0 £-£tf . 
mZtltz*7 : Jx?h • 7r?HJ(±. mf&yJT 
VV ■ 771"/ h<9»J?xxM$. 54 7?'; • ?5X 

[0090] *mxvmmmizt5^x . hh77v -y 10 
Yiimmt-r-t'xtmth. l*>u *-hm 

-f&tg;>j£^;t4.ri:te. 77V-yb*>\ #-K2t^ 
tb&b^tifzimX'iiA >X Y~-J\sZtimc^z\ b £B§ 
Set*. eUtJf. n^'JT^TTWMi, 

-XA*«*- H 2 £4 yx b -A^fifcB^ 5&tt<0* 
4ffl&*V)tM * 'J T 4 77V v hffmzti- P±£& 

^iZb'COto^m(7)77U -y h* s ^— F2±t^Rtt" 
2>frZ%£XZ&£oizt&izMZ. *-H ■ Try* 

[00911 #&Hfl£0liS©BJ8fcfc<-vC . T7-»J *->- 

3 v ■ wjx v y (i. a £oi»^K rru 

a yfc . e&*D»tfitt*fctt*7Vx? M&WHBfc* 

^< K 77V7-—i'sVt<nffi<V^*VX—^& : £& 

3fL<4yxh-A'§;ftJtr7V>y Mi. AID 
Srffiffl LT#- H 2±K*> o Wt^<D77V y h*« 

[0092] #?feBH<OHteJg©C;B^"C . 77V >y b# 

afv-7>=5rtt#£-5-;l4. £*>£fcli. Ztibtfx-?- 4C 
h ^- H 2±T'<9£fi««^#«&S*B8£ jSi-T^fi® 

yfci OlWf- h SftfcWfittfc*^* , r>f 7- 5 >y ^ 

• A yfyfisayZV-X-h-f-hyri'V-nlztin 
^ . T7 , )7-—i'a y\t. A— HS8*4*fc(i 

• xyF ■ yXfAl 0Wfc'*>^>tcttttLTt>. 
jj- 7 . #_|« . T7y?--i/3yt(04 yf^ri/ay 5 
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[0093] *W»0|liBK»C*^T . ^ 7" 5 y 7 

■&m&vhh. y^ya-\ i 2tifz77V yhim% 
ifffizti* n-v2^ yxh-^tttmiz. 

lRi:Sli2. ^•y-fe— K (message authentifi 
cation code) (MAC) W4l^t5iSi0fci6W"9"^— 

[0094] *W!H«IIIBE»(=*V»T. *-l«]Jf*# 

2 4***-r*-r^< w®aots«sr*- k 2±tis»a 

-) ii^WnBCfelttrt*. *K t"C, *-Y2rtBt9k 
*-h'0r*#24ttoTffl^«*t^. -<^> 

Rtt. #/?co^-H0r*#24cofc*t«^»^W2r^ 
tfiK^^r 7 HflHBB«l7 r i^U f- < ^ 

^W3 2^S»t-&. #«<o«^fi^WJ±. Jyxv- 

)VZtltz&77V -y b ^t^fflf»3 1- fc R« 
lc» 2±^4 yx h-^tutrru y K^)V7 

[0095] #f6W3!Sit9$Bfc*JV v C, ^Sll^Kl^ 
cOT'n/NM y<7)77V -/hi. A— H 2^4 yx 

n^rrb- yb^a-ri.-t^^'J^'f 

fc»tc. H 2±c7)TTV y h 

;l/2rfi6ffl-rSC:i:(=J: <)1&®tZ>. 77V-y h ■ roA 
-f ^WiK&lt?:-^- h-r&fc«>t. #T7*^ -y Mi® 
^SflfflbT. m^«3 2rt^nt-§n^r-^ 

^-XA^fiEffltT. «-T7"U-y hti^'-y^T yT+t: 
-e<0^W7'7'f yb* • 3K-tffiRU. -eLT0g4' 
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[0096] *56BB«OHtfiJg®tci5V^T . ^ 

mm. *y ■ *-k • *7s>x? M4. #fsc^ : 

t a -f^ y7TW»=H«Lt\ MM:. *7 ■ 

•C§, CHlJi, Hitf. SSgWajLS; remote method i 
nvocation ( RM I ) <7)tl#>0) J ava7TJ / !)f •(J 
fM,Y» Java*-HOi3=Sr*-H -75"yh7* 

[0097] *%BBC0HlteJg®tfcV^T . 

^cofiLS^a^rsi^sLfci^^ • • *7^*x;? 
i&uts. siM-75>x?h*>wi*iftK-K*"*. & 

[0098] ^HBWH^lSttJv^T . S^^ii^T 
Tl"y h<7>gSMi Java*— KW.ko&tf-K ■ 77 

(AID) ^3'Cfe*L*a3*l&. 771^-yhAID 
14, 09&O771' -y I- • A-5>9 yfc§HW*»«c33E 

^ £-&tfA I DfflcO*— $y7 ■ Xdf— i» (naming sch 
erne) *i]-XMX. MHi. 77V -y Y ■ 9 
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5*<D&4t>*>#Bfe»«HELfcfc. 77W KD/c 
•*-b-M4Mfctt4WffiT'J>'). *-KCli#J 

fc LTcomi^»3 2 OfM»atM>& . 
[0099] *%HflcoHig}e©tfcV^T. 771- -/ b» 
^v<-y 3 yll ^cO^t^y^'x^hSr^T. 

8±iraT«3 2T30e£ftfc>'W?T*r • 3K- 
*»A>lHia$<ut77U -y h • sTTVx 7 V t £S£&i. 

• xyy^t!) y7 ■ 77a-^-»4, V7\>*> 
x7IW7n-b^(c«84r7o*x ■ avha-rt'M 

7£f£SH-&. *v-h*-l^®Sb^*>ivO*S«r 
fc»4. 771/ -/ <f&%X'foh^t i£ 

9fc-4~&. Z.c?>£olZ. ?*)-»V-J±T7u-^<F> 
m&%7v-txmtt&. rfcSfcV^h^xT ■ 70^'x 

[oioo] i&&tmm«0»* u^wraw. w% 
[affiwfgm&ifcBB] 

l *i*wrt*»^7^5AT*'). 

[02] *WJW£^W>rz#><r)X-?-Y*)~Y ■ 7 

[03 ] *^Ha«o*^Bffiwta6«. 0 1 C^tfifSw 
8£h.S:Jfc*ct. 77U-yb*aBlt'aWtfc^v-h* 
-K^^yo-F-t67n*Xfc:»tS. jg^SBSffl 
^Utt-rSWBS^ 77^ AT'fc 0 . 

[04 ] *^HB<?5llSfeJg®<0Jt«>«077L/-y h?r^?t 
•CSIHtcx v- h#- H^7«> y a- Y-T & 7a-feX fc 
40 H : 5rl>fi«HS:ffiW'&7D-^-hT'J>&. 
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METHOD AND SYSTEM FOR MANAGING APPLIC ATIONS FOR 
A MULTI-FUNCTION SMARTCARD 

3 Cross-Reference to Related Applications 

This application claims the benefit of U.S. Provisional Application No. 
60/079,803 filed March 30, 1998. 

Field of the Invention 

10 The present invention relates generally to smart cards, and more 

particularly to a method and system for managing applications for a chip-based 
smartcard which has processing capability and storage capacity for more than one 
smartcard function. 

is Background 

Single-function magnetic stripe cards, having a magnetic stripe on a 
plastic card, have been in use for many years. Such cards are based on magnetic 
stripe technology that can hold, for example, up to 40 characters of data on three 
tracks, including such information as the cardholder's name, account number, and 
20 expiration dale. Existing credit, debit, and pay phone cards are magnetic stripe 
based. 

Single-function chip cards having, for example, an 8-bit microprocessor 
chip, such as 8051 or 6805, embedded in the plastic card offer limited processing 
capability and memory storage capacity, such as I to 2K E 2 PROM. Such cards 
25 support a single function, such as stored value, and offer better security via 

tamper-resistant hardware and reduced on-line transaction and infrastructure costs 
over magnetic stripe cards. The contents of such cards are fixed at the time of 
issuance. 

Multi-technology hybrid cards blend more than one card technology into a 
30 single card. Technologies that are applied to such cards include magnetic stripe. 
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2-D bar code, optical stripe, and chip. The rationale behind such a combination is 
to leverage the processing power of a chip with either the backward compatibility 
of the magnetic stripe or the storage capacity of the 2-D bar code or optical stripe. 
With regard to the chip-optical combination, a combination reader is capable of 
reading and writing both the chip and optical stripe portions of the card. 

Other cards combine contact and contactless technologies. Contactless 
cards are the functional equivalent of contact cards but use radio frequency 
technology to interact with the card reader instead of being inserted into a device. 
A card with contactless technology transmits transaction data and records the data 
that it receives when passed within either one millimeter (close coupling), 8-10 
centimeters (proximity), or 0.5-1 meter (vicinity) of the reader. With contactless 
cards, transaction times are reduced 20 to 30 times as compared to cards requiring 
insertion into a device. Such combination cards offer the convenience, 
performance, and reliability of a contactless card, along with the security and 
functionality of a contact card. These cards have gained popularity as facility 
access and mass transit applications, such as bus, train, subway, and ferry, and 
have emerged as viable smartcard applications, especially when they are 
combined with payment methods on a single card 

While static multi-function chip cards are capable of handling multiple 
functions that were masked into E 2 PROM at the time of card initialization, they 
are static because applications and functions are fixed once the card is issued 

The smartcard industry has been around since the 1970s. However, with 
the exception of Europe, most of the world has not gone much beyond trials and 
pilots. For example, financial institutions, such as banks, have introduced stored 
value cards, such as VISA CASH and MONDEX, to customers and merchants in 
pilot programs. In such pilot programs, stored value cards have been tested in 
densely populated areas to help reach a critical mass of acceptance in the 
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marketplace of consumers and merchants and to establish interoperability at 
merchant point of sale (POS) terminals. 

While the increasing rate of smartcard usage is encouraging, it is also 
evident that single- function smartcards, such as stored value or pay phone cards, 

5 are a hard sell in the United States. This is mainly due to the convenience of cash 
and the ubiquity of credit card usage. Hence, stored value applications, at best, 
can be considered applications that are necessary elements of any real world 
smartcard programs, but are not sufficient in themselves to create a critical mass 
of smartcard acceptance. 

10 Since its inception in the 1970s, a first movement in the smartcard industry 

began at the genesis of the technology, when a chip-based plastic card was 
developed to replace its magnetic stripe counterpart. Such a card offered added 
security and reduction in costs associated with on-line transactions and their 
underlying infrastructure support. A second movement can begin in the 

1 5 smartcard industry with the advent of a dynamic, multi-function smartcard. 

The United States had little active involvement in the first movement 
because of the establishment in the telecommunications infrastructure and the 
ubiquity of credit card usage. However, the United States can be a leader in the 
second movement, because of reliance by the electronic commerce industry on 

20 the smartcard to offer much needed portability, security, encryption, and 

authentication. Development of technologies, such as a Java card platform can 
allow the smartcard industry to realize the advantage of ti write once, run 
anywhere" in which an application needs to be written only once and can then run 
on any card from any manufacturer. 
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Summary of the Invention 

It is a feature and advantage of the present invention to provide a method 
and system for managing applications for a multi-function smartcard, which 
allows cardholders to carry less cash and affords cardholders nomadic access to 
Gnancial and other services at any time or place and via any device. 

It is a further feature and advantage of the present invention to provide a 
method and system for managing applications for a multi-function smartcard, 
which enables cardholders to organize personal information. 

It is an additional feature and advantage of the present invention to provide 
a method and system for managing applications for a multi-function smartcard 
which allows cardholders to carry fewer cards and to use the same card to conduct 
a suite of applications. 

It is another feature and advantage of the present invention to provide a 
method and system for managing applications for a multi-function smartcard. 
which offers cardholders a means to back up their valuable information on the 
card. 

It is a still further feature and advantage of the present invention to provide 
a method and system for managing applications for a multi-function smartcard. 
which affords cardholders the ability to store all types of information, such as 
emergency information or insurance information on the card. 

It is still another feature and advantage of the present invention to provide 
a method and system for managing applications for multi-function smartcard. 
which can be customized by cardholders selecting applications based on personal 
needs and preferences. 

To achieve the stated and other features, advantages and objects of the 
present invention, an embodiment of the invention provides a method and system 
for managing applications for a multi-function smartcard, such as adding new 
applications or applets to the smartcard for a cardholder, which includes, for 
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example, installing a monitor application for the new application on the smartcard 
microcomputer, authorizing download of the new application by the monitor 
application and by a master application resident on the smartcard, and 
downloading the new application to the smartcard microcomputer. Key hardware 

5 components of the system include for example, the smartcard embedded with a 
microcomputer, a terminal, a network, and a server, such as a financial institution 
server. Important aspects of the card application platform are the master 
application and the monitor application. The master application serves as an 
arbiter, a gatekeeper, and a message dispatcher on the smartcard, and the monitor 

to application is a special applet supplied by an applet provider, which controls the 
installation of the provider's applet or applets on the smartcard. 

In an embodiment of the present invention, the monitor application is 
installed, for example, by downloading the monitor application from a server, 
such as an electronic customization depot, which includes functionalities of either 

1 5 or both of an applet server and a monitor application server. The monitor 
application is downloaded, for example, at a terminal, which is any one of a 
number of access devices, such as an automated teller machine, a merchant 
terminal, a personal computer, a personal digital assistant a TV set-top box. a 
land phone, a cell phone, a digital phone, a cable TV box, a satellite TV box, a 

20 contact reader, a contactless reader, or a combination contact and contactless 

reader. The monitor application is downloaded, for example, at the terminal from 
the server over a network, which is either public or proprietary. In any event, 
initializing the monitor application with a key provided, for example, by a server, 
either during initialization of the smartcard or after the smartcard has been issued. 

25 is an aspect of authorizing download of the new application. Another aspect of 
authorizing download of the new application is registering an application 
identifier for the new application with the monitor application and subsequently 
with the master application for dispatching of messages. 
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la an embodiment of the present invention, a security aspect of 
downloading the new application to the smartcard is verifying the identification 
of the cardholder, for example, by an application on the smartcard 
microcomputer. Such identification is done, for example, by a PIN of the 
cardholder or with biometric data for the cardholder. The latter is performed, for 
example, by a scanner at the terminal, and the biometric data, such as the 
cardholder's finger print, is compared with a reference template on the smartcard 
Another security aspect of downloading the new application is authenticating the 
smartcard, for example, by the server. 

In an embodiment of the present invention, the cardholder is offered a 
selection of service options by the system, including the option to download a 
new application to the cardholder's smartcard. Upon selecting the option to 
download a new application, the cardholder is offered a list of qualified new 
applications, according to pre-defined parameters, from which to select The pre- 
defined parameters include, for example, whether a particular new application is 
supported by business based on the relationship between the cardholder and the 
financial institution, and whether there is sufficient space on the smartcard 
microcomputer to accommodate a particular new application. 

In an embodiment of the present invention, the cardholder makes a 
selection of a new card application from the list of qualified new applications, and 
the new application is downloaded to the smartcard from the server, such as the 
electronic customization depot, which has either or both of applet server and 
monitor application functionalities. The new application is downloaded at the 
terminal, which is any one of the smartcard access devices, such as an automated 
teller machine, a merchant terminal, a personal computer, a personal digital 
assistant, a TV set-top box, a land phone, a cell phone, a digital phone, a cable TV 
box, a satellite TV box, a contact reader, a contactless reader, or a combination 
contact and contactless reader. 
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In an embodiment of the present invention, the new application is 
downloaded over the network, which is public or proprietary, and installed on the 
smartcard microcomputer. The new application is installed using a security 
mechanism of the monitor application, and the new application is supplied with 

5 an operation key. The new application is also supplied with cardholder 

information, as well as a new digital certificate. The new application is registered 
in a software registry of the smartcard microcomputer, according to an object- 
oriented classification of the software registry. A copy of the smartcard registry 
is furnished to an electronic deposit box of the financial institution, and the 

10 electronic deposit box is updated with a copy of operational data for the new 
application. At least one object of the new application is selectively shared with 
at least one object of another application on the smartcard. and the selective 
sharing is one or both of restricted and unrestricted sharing by the new 
application. 

15 Additional objects, advantages and novel features of the invention will be 

set forth in part in the description which follows^ and in part will become more 
apparent to those skilled in the art upon examination of the following or may be 
learned by practice of the invention. 

20 Brief Description of the Drawing 

Fig. 1 is a schematic diagram which shows an overview of examples of the 
key components and the flow of information between the key components of the 
system for an embodiment of the present invention; 

Fig. 2 is a chart which shows a sample of layered hierarchy in the 
25 smartcard platform for an embodiment of the present invention; 

Fig. 3 is a schematic diagram which amplifies the flow of information 
shown in Fig. 1 and provides further detail regarding the process of selecting and 
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securely downloading an applet onto the smartcard for an embodiment of the 
present invention; and 

Fig. 4 is a flow chart which provides further detail regarding the process of 
selecting and securely downloading an applet onto the smartcard for an 
embodiment of the present invention. 

Detailed Description 

As smartcard technology has evolved from the single function magnetic 
stripe card, the cost of each card technology is proportional to the capability it 
delivers. For example, a rough estimate of cost for various card technologies 
ranges about $0.15 per card for single function magnetic stripe cards, about $2.50 
for a single function chip card, about $3 per card for multi-technology hybrid 
cards, about $4 for a static multi-function chip card, and about $7 per card for 
contact-contactless combination cards. A rough estimate of the cost of a multi- 
function chip card for an embodiment of the present invention is in the range of 
about $9. Moore's law, which projects that chip processing power doubles while 
the cost reduces in half every 12 to 18 months, indicates that as die demand for a 
multi-function card rises over time, the corresponding cost will decline steadily as 
time passes. 

In an embodiment of the present invention, a cross-industry multi-function 
smartcard can handle more than one application and can support the installation 
of new applications after the card has been issued. Application functions of a 
multi-function smartcard include, for example, payment vehicles, such as credit 
debit, and stored value. Other functions of a multi-function smartcard include, for 
example, access keys for facility and network access, information manager for 
managing an individual's profile, demographic, and preference information, 
cryptographic engine for conducting encryption and authentication, and 
marketing tool for loyalty programs and coupons. 
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In an embodiment of the present invention, given the possible 
combinations of application functions, a multi-function smartcard serves as a 
bridge between the physical world and the virtual world. For example, a 
cardholder can use the same card to conduct purchases over the Internet and at 

5 merchant POS terminals. A smartcard infrastructure platform, such as a Java card 
platform, supports a multi-function card environment which is open, secure, 
multi-functional, dynamically downloadable, chip platform independent, and 
broad programmers based. 

In an embodiment of the present invention, it is noted that the term multi- 

10 function and multi-application smartcards have different meanings to different 
groups of people. The differences are articulated as differences between a 
function and an application. A function is a generic concept, while an application 
is the actual realization of the concept in a particular implementation. For 
example, electronic purse or stored value is a function, while, for example. VISA 

15 CASH or MONDEX purse is an application. The correspondence between the 
two is many-to-many, in that many applications can be classified into a single 
function, as in the case of electronic purse, and many functions can be embodied 
in a single application. For example, Visa's VIS application consists of both 
credit and debit functions. Therefore, a multi-function smartcard is defined for 

20 example, as a chip-based plastic card equipped with the necessary processing 
capability and storage capacity to handle more than one smartcard function, and 
thus more than one application, which are either installed at the time of issuance 
or loaded during runtime. 

In an embodiment of the present invention, a broad platform strategy is 

25 applied from end-to-end, allowing simultaneous download and upgrade of 

software, from the card to the terminal and, ultimately, to the server. The system 
provides a flexible distributed architecture, whereby the intelligence or processing 
capability is distributed throughout the system. For example, depending on 
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application needs and business requirements, migration of processing capabilities 
from a terminal, such as an electronic wallet, to the card or to the server is 
permitted With such an end-to-end perspective, system-wide concerns such as 
security, performance, interoperability, and standardization are reflected and 
5 addressed 

In an embodiment of the present invention, industry-specific application 
templates or generic applications are created that can be derived or inherited to 
produce specialized applications. Templates facilitate reuse, enable 
customization, and promote interoperability. Standards and interoperability are 

10 tightly coupled, and standards enable interoperability. Toward that end a 

reinvigoration of the EMV standard adds stored value to the existing debit and 
credit functions. Similarly, incorporation of smartcard capability in the Secure 
Electronic Transaction (SET) standard solidifies a chip-electronic commerce 
vision as the industry moves forward. 

15 In an embodiment of the present invention, there are, for example, three 

areas of primary focus in the development of a card application platform. One 
such area is secure dynamic application download, which includes, for example, 
policies and mechanisms for securely installing card applications on a smartcard 
after the card has been issued. Another such area is on-card application 

20 interactions, which includes, for example, mechanisms for allowing card 

applications to discover and safely interact with each other. An additional such 
area is off-card application interactions, which includes, for example, mechanisms 
for supporting secure interactions between on-card and off-card applications and 
for supporting advanced system management. 

25 In an embodiment of the present invention, a dynamic multi-runction chip 

card has on-card infrastructure support to facilitate post-issuance download of 
new applications. It is dynamic because card applications can be added or deleted 
after the card is issued, and an embodiment of the present invention provides an 
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end-to-end architecture to facilitate such an operation. Relationship cards, such as 
Bankcard and Citicard, have traditionally been the vehicle for extending services, 
for example, to customers of a financial institution, such as Citibank. A multi- 
function card provides a relationship card for the financial institution that 
integrates, for example, stored value (pay before), debit (pay now), credit (pay 
later), and Citicard (ATM access), with other cross-industry services as part of the 
financial institution's overall strategy to broaden and deepen the relationships 
with its customers. Further, by incorporating the credit functionality, such as 
Bankcard, as part of the relationship, the financial institution maintains its brand 
leadership while extending financial services relationship, for example, for 
Bankcards. 

In an embodiment of the present invention, the multi-function smartcard 
affords nomadic access by the portability and mobility of multi-function 
smartcards. Such cards are an essential part, for example, of a new distribution 
model, in that the cards are used for access at a multiplicity of delivery vehicles, 
such as the Internet, GSM phone, cable, and WebTV, over all distribution 
channels. With such nomadicity. a multifunction smartcard enables a customer 
to conduct financial services anywhere, anytime, and via any device. 

In an embodiment of the present invention, a multi-function smartcard 
supports and maximizes the global position of a financial institution, such as 
Citibank, in consumer and business electronic commerce, as the financial 
institution's core business lies in the transfer of value or movement of money and 
the extension of credit and related services. Lack of security and resulting 
proneness to fraud inherent in magnetic stripe cards costs financial institutions 
millions of dollars each year. The tamper resistant hardware and on-card 
infrastructure support of smartcards offers added security and cost savings for 
issuers and customers alike. 
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In an embodiment of the present invention, a primary benefit offered by a 
multi-function smartcard is convenience. Such cards provide great value to 
consumers, for example, by allowing consumers to carry less cash, by affording 
consumers nomadic access to financial and other services anywhere, anytime, and 

5 via any device, and by helping consumers to organize personal information. 
Another benefit which such cards offer consumers is consolidation. Consumers 
are attracted by the idea of combining everything in one place or in one card. 
Consolidation allows consumers to carry fewer cards in their wallets and to use 
the same card to conduct a suite of applications. Such a card is truly the ultimate 

10 thin client As more and more information is consolidated on the card, an issue 
arises about the potential loss of the card The financial institution offers a means 
for its customers to back up their valuable mformation on the card, which puts the 
financial institution in a unique market differentiating position and further 
strengthens its relationship with its customers. 

15 In an embodiment of the present invention, a further benefit afforded 

customers by such a card is information storage. The concept of storing 
information on the card is a powerful proposition to consumers. This not only 
saves time, as in the case of filling forms, but can also be lifesaving, as in the case 
of storing important emergency information, such as allergies to medications or 

20 insurance information. A still further benefit afforded to customers by such a 
card is customization. With the dynamic downloadability of the multi-function 
card environment, consumers are able to customize the card by selecting 
applications based on personal needs and preferences. This puts the control of the 
card back to the consumer so that the card truly reflects the consumer's 

25 personality and lifestyle. 

An embodiment of the present invention moves from a terminal-centric 
world to a customer centered, smartcard-centric world in which the smartcard is 
regarded as the ultimate thin client. The smartcard holds the cardholder's 
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identity, such as biometrics, along with other payment and access vehicles that 
allow the cardholder to conduct transactions anywhere, anytime, and via any 
device. With such portability, the smartcard can truly enable nomadic access to 
the various services through both the physical and the virtual worlds. 

5 In an embodiment of the present invention, interoperability means 

different things at different levels of an end-to-end architecture. In essence, it 
means mat two or more applications or participants can use each piece of the 
infrastructure, such as the card itself, the terminals interacting with the cards, the 
electronic customization depot for card applications, the acquisition and card 

10 management systems, and the settlement systems- Interoperability is a foundation 
necessary for operating multi-function cards and is thus a very important feature 
of the multi-function smartcard in the electronic commerce industry. 
Interoperability is a vital feature at all levels and is in place, for example, in the 
card infrastructure, among card applications, at the terminal-to-card interaction. 

1 5 and within the network infrastructure. 

In an embodiment of the present invention, at the card infrastructure level, 
the system has a standardized virtual machine interface and the supporting class 
libraries, such as provided by a Java card mfrastructure. At the card application 
level, in order for applications from different service providers, that are either 

20 within an industry or across industries, to interact with one another, the system 
has a set of pre-defined interaction models at the terminal or network system, as 
well as in the card infrastructure, such as die Java card mfrastructure. At the 
terminal level, terminals are powerful enough such that different cards with 
different applications can be read on more than one terminal type. For example. 

25 an airline loyalty terminal is able to read stored value cards to speed payment, and 
secure access applications work in electronic ticket gate access environments. At 
the network infrastructure level, a network infrastructure supports multiple 
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application messaging scheme and/or communication protocols, as well as 
application downloads. 

In an embodiment of the present invention, a card platform, such as the 
Java card platform, serves as a standard for smartcard infrastructure. A card 
platform, such as the Java card platform, as the infrastructure for the smartcard is 
designed to achieve interoperability of applications both on the card and at the 
terminal. Specifically, a smartcard application designed for the Java card can run 
on or be added to any card supporting Java Virtual Machine (JVM) and Java class 
libraries. Similarly, interoperability at the terminal is achieved when the terminal 
has a low-level card agent or service provider that is capable of conversing with 
Java card applications on the other end. In such an environment, cards issued by 
different vendors seamlessly run on terminals from any vendors with varying 
capabilities. 

In an embodiment of the present invention, while financial services 
applications have been prototyped on the Java card 1 .0 platform, for example, via 
Schlumberger's Cyberflex cards, cross-industry applications utilize the next 
generation smartcard platform, such as the Java card 2.0 specification. This 
platform serves to demonstrate the capability of such a multi-function card 
environment and to demonstrate how new applications can be added to the card 
post-issuance. Looking beyond the card infrastructure, an architectural 
innovation enables development of a coherent end-to-end application. A suite of 
platforms, such as Java platforms, is identified that are intended for different 
delivery devices and systems. In descending order of scope, such Java platforms 
encompass, for example, Java JDK, personal Java, embedded Java, Java wallet 
Java card, and picoJava. 

In an embodiment of the present invention, templates are the basic 
definition of applications which are essential in defining a generic application 
such as stored value, loyalty, or telecommunications. They are the basis on which 
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can be built specific, branded versions of the application for a financial 
institution's customers. Templates are about function rather than branded 
identity. In a more technical sense, templates offer the foundation for building 
generic applications. Template facilitates reuse, thus shortening the development 
cycle. Specialized applications are enhanced from generic ones. Templates 
facilitate interoperability between applications, subject to firewalls. Therefore, it 
is advantageous to have a baseline stored value application that works in the same 
way across, for example, MASTER CARD/MONDEX, VISA, and EUROPAY. 

In an embodiment of the present invention, industry-specific application 
templates, or generic applications are created that can be derived or inherited to 
produce specialized applications and achieve interoperability at the card 
application level. Card application development is coordinated by the use of 
templates. Templates facilitate reuse, enable customization, and promote 
interoperability. In order to facilitate the process, Smart Card Special Interest 
Groups, or SIGs (one per industry segment) are formed. Each SIG is responsible 
for individual industry template development. The task is similar to the work 
done by the travel industry, under the I ATA Smart Card Subcommittee and IATA 
Resolution 791 to specify an Airline ICC. 

In an embodiment of the present invention, standards and interoperability 
are tightly coupled, and standards enable interoperability. Toward that end the 
EMV standard is re-invigorated to add stored value to the existing debit and credit 
functions. This enforces a unified electronic purse definition covering the 
functionality offered, for example, by VISA, PROTON, and other stored value 
products. Similarly, the SET standard incorporates smartcard capability to 
solidify a chip-electronic commerce vision as the industry moves forward. 

In an embodiment of the present invention, other standards that facilitate 
interoperability are, for example, Microsoft's PC/SC and NCI's Open Card 
Framework (OCF). Finally, financial institutions work closely with the 
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telecommunications and set-top box industries to assure that the next generation 
GSM and the set-top box systems comprehend the needs of "nomadic" access to 
the various financial services, including home banking and electronic commerce. 
This is realized by cell phones and set-top boxes offering a two-card scenario, in 
5 that a user controlled smartcard provides secure identity in addition to customized 
applications, while an independent card issued by the specific industry controls 
the access to the underlying telecommunications or Internet services. 

In an embodiment of the present invention, a smartcard has present and 
potential future capabilities in the electronic commerce age. However, in the age 

l o of Internet and electronic commerce, security threats continue to dominate the 
consciousness of the technology marketplace. In order to conduct secure 
exchange of purchasing orders and payment authorizations, public-key based 
financial transactions are of essence. For example, Secure Electronic Transaction 
(SET) has established itself as the leading standard in the electronic commerce 

15 world Presently, certificates are an intrinsic part of the SET process. They arc 
stored in the PC at the consumer end. Aside from security, lack of portability or 
mobility is a drawback for the approach. Hence, it is necessary to maintain 
separate certificates, for example, for use at home and in the office. 

In an embodiment of the present invention, portability concern with a 

20 smartcard is resolved by putting the certificates on the card. Difficulties created 
by the present certificate size (around 1 K bytes) and the necessity for a chain of 
certificates to conduct an authentication process are alleviated as the capacity of 
the card and the industry standards evolve, such that holding certificates or some 
cryptograms as being proposed by EMV are as feasible as storing the cardholder's 

25 PIN. Alternatively, storing one or more private keys on the card, while leaving 
certificates on the PC, also provides an interim solution. 

In an embodiment of the present invention, verification allows the card to 
uniquely verify the identity and authenticity of the cardholder. The most common 
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verification mechanism is the use of PIN. However, the PIN mechanism is based 
on the secrecy of the information. If it is lost, stolen, or if the cardholder forgets, 
the mechanism becomes insecure or unreliable. Biometrics oriented verification 
offers high accuracy and confidence in identifying the owner without the burden 
5 of PIN memorization. The reference template or templates of the cardholder's 
biometrics, along with one or more verification algorithms is stored on the card, 
such that a person's personal identification never leaves the card As an 
alternative to on-card template comparison, the exchange is secured between the 
card and the terminal. In addition, the two devices are mutually authenticated to 
1 o minimize the threat of exposing the confidential information in an unsecured 
environment 

In an embodiment of the present invention, the smartcard is equipped with 
either a high-performance microprocessor or a crypto co-processor to be capable 
of providing privacy, integrity, confidentiality, and non-repudiation for trusted 

15 transactions. This is accomplished through encryption (DES symmetric key or 
RSA public key based) and authentication (comparing digital signatures). In 
order to alleviate concerns about time consuming, computation intensive 
operations, such as the RSA public key operation, techniques such as Chinese 
Remainder Theorem (CRT) are applied to further accelerate the computation 

20 process. Alternatively, Elliptic Curve Cryptography (ECC) also offers 

comparable security with shorter key length. Ultimately, it is preferable to create 
private keys from within the card and use the keys to generate digital signatures 
using, for example, 16-bit and even 32-bit RISC processors rather than older 8-bit 
smartcard technology. 

25 Information stored on the magnetic stripe or in the PC has been known to 

be insecure and easily counterfeited or stolen. In an embodiment of the present 
invention, the smartcard is regarded as the hardware token that offers tamper 
resistance to physical attacks. In addition, information is further protected against 
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unauthorized access through configurable access control measures such as PIN 
entry or biometrics comparison for reading or writing files on the card. 

In an embodiment of the present invention, the smartcard has encryption 
capability to secure a message exchange between the card and the terminal (or the 
5 host) by encryption or message authentication code generation (MACing) the 
data. Data is downloaded to the card for information update or configuration 
setting. Provision is made to allow uploading of data or tokens/tickets to a remote 
server for short-term storage or long-term backup, for example, for a cardholder 
who wishes to temporarily store his/her electronic tickets to a remote server 
10 before using them. Further, in order to allow the financial institution to restore a 
stolen or lost card, provision is made for customers to backup the information on 
the card. 

In an embodiment of the present invention, the smartcard has the ability to 
download new applications after the card is issued. This goes above and beyond 

I s the normal loading of data to and from the card and allows the cardholder to 

customize the card functionality to meet his/her own preference. For card issuers, 
such as Citibank, this also enables, for example, software upgrade, addition of 
new applications, and introduction of security algorithms without having to re- 
issue the card. This is an attractive business proposition from the perspective of 

20 total cost of ownership. 

In an embodiment of the present invention, a number of categories of card 
applications are provided which are not mutually exclusive. In migrating from a 
single-function card environment to a dynamic, multi-function card world, 
financial institutions and consumers may aggregate applications from one or more 

25 of the categories. For example, payment applications, such as debit, credit and 
stored value can co-exist with such applications as loyalty program, facility 
access, and network access. 
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In an embodiment of the present invention, classification of applications 
into groups formulates a strategy which establishes a framework for developing 
applications within individual group or industry. For example, an information 
manager group is regarded as a generic template or, more precisely, a base class 
5 t1iat t for example, can be enhanced to derive specialized applications, such as 
profile, demographic, and preference applications. Such a framework 
establishment is exploited to facilitate reuse and enable customization. In 
establishing a coherent interface across related applications, the accessibility to 
the grouped services for both on-card or off-card applications, such as an 
10 electronic wallet, is also maximized. Such a design principle lays the foundation 
in organizing applications for additional financial institution smartcard initiatives 
and drives toward standardization of interfaces for individual category or class of 
applications. 

In an embodiment of the present invention, the stored value application 
1 5 offers a first view of what smartcard can offer as a cash replacement in an otT-1 ine 
environment The payment applications are elements in a multi-function card 
environment. An integrated payment card includes all three payment methods, 
namely, debit, credit, and stored value, for consumers. The payment card serv es 
as a bridge between the physical and the virtual worlds in the electronic 
20 commerce age. In addition to such open currency payments, other closed 

payment vehicles (in a form of barter) include, for example, electronic tickets and 
transit tokens (as a form of payment to the system), and theme parks tokens (used 
in a closed entertainment environment, such as GameWorks and Disneyland). 
Leveraging the stronger identification and verification capabilities, electronic 
25 benefits (another form of payment) are paid through the smartcard as well. 

In an embodiment of the present invention, conducting secure and trusted 
transactions over the physical or virtual world requires, for example, a two-tier 
process of verification and authentication. The cardholder s identity is verified. 
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and there is a mutual authentication between the card and the interacting device or 
server. In holding a cardholder's identity in the form of a PIN or a biometric 
template like finger print, the smartcard offers a means for secure access of 
facilities and networks by conducting or facilitating the verification process. The 
5 former requires the template matching algorithm to be resident, for example, on 
the card such that the verification is done locally. 

In an embodiment of the present invention, once the cardholder's identity 
is successfully verified, the smartcard then performs mutual authentication with a 
terminal or a remote server to ensure a trusted transaction. Given such 

10 capabilities, the card behaves as the access keys in both the physical world for 
facility access and the virtual world for network access and E-commerce 
transactions. A generic cryptographic framework is established as the foundation 
for developing cryptographic applications. Such a framework allows use of such 
services for both cm-card and off-card applications to maximize reuse and shorten 

15 the time-to-market. 

In an embodiment of the present invention, the smartcard enhances a 
trusted relationship between, for example, a bank and its customers, based on the 
secure storage of both value and information of the cardholder. Several types of 
information pertaining to a cardholder can be stored on the card. For example. 

20 personal identification , such as name, blood type, date and place of birth, 

mother's maiden name, address, and phone number can be stored. Profile and 
demographic information, such as marriage status, number of children and their 
ages, income level, and hobbies can also be stored. Further, preference 
information, such as language, frequent calling numbers, airplane seat 

25 assignment, and computer configuration can be stored on the card Additionally, 
privilege and entitlement information, such as administrative status for computer 
and network access can be stored on the card 
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In an embodiment of the present invention, the smartcard plays the role of 
an information manager on behalf of the cardholder that safeguards and manages 
the cardholder's personal information. This is important as consumer privacy is a 
leading concern in the smartcard and electronic commerce industries. Different 

5 kinds of information require different levels of security measures to authorize an 
access. Much of the trusted relationship between a financial institution, such as a 
bank, and its customers hinges on how well the financial institution manages its 
customers* personal information. A flexible yet secure information access 
mechanism is provided, such that applications like filling forms at a doctor's 

10 office can be automated without the concern of invasion of privacy. 

In an embodiment of the present invention, the smartcard provides a 
marketing tool for both merchants and financial institutions by storing loyalty 
points or coupons for individual retailers. On-card loyalty applications provide 
cardholders flexible shopping benefits, including instant loyalty points reward and 

15 redemption, for both physical and Internet transactions. In addition, churches and 
schools can, for example, issue scrips to benefit their causes from the sales. 

In an embodiment of the present invention, by allowing download of new 
applications after the card is issued, the smartcard offers a unique delivery 
channel in distributing customized services. The cardholder can determine the 

20 applications on the card and make adjustments as his/her lifestyle evolves. For 
example, the cardholder can delete rarely used applications and add new ones. 
The personalization capability is further amplified in conjunction with a 
multiplicity of delivery channels, such as cell phones, set top boxes, and network 
computers. Consumers are afforded added convenience and flexibility in 

25 conducting financial transactions and invoking services delivered through the 
smartcard. 

Referring now in detail to an embodiment of the present invention, which 
is illustrated in the accompanying drawings. Fig. I shows an overview of the key 
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components from a system-wide perspective of the architecture for an 
embodiment of the present invention. Referring to Fig. 1, the end-to-end 
architecture takes into account the issues and concerns from the card 2 to the 
terminal 4, to the front-end system 6, to the network 8, and, ultimately, to the 

5 back-end server 10. Such an end-to-end perspective is an important aspect of the 
system and enables reflecting and addressing system-wide concerns, such as 
security, performance, interoperability, and standardization. In this multi- 
function world, it is imperative to have such an understanding in order to gauge 
the needed performance and security for the card. This also enables addressing 

10 the interoperability and standardization concerns between the card 2 and the 
terminal 4, as well as between the terminal 4 and the back-end server 10. For 
example, the system architecture is designed such that security broken on one end 
can be remedied or minimized from the other. 

Referring further to Fig. 1, five major components of the end-to-end 

1 5 architecture include, for example, the smartcard 2, the terminal 4. the front-end 6. 
the network 8, and the back-end servers 10. The card issuer has full control of the 
security measures both on the card 2 and at the back-end servers 10. The in- 
between terminals 4 and 6 and the networks 8 are regarded as insecure and are 
treated with special attention. On the other hand, intelligence or processing 

20 capability is distributed across the system. Depending on the application needs, 
intelligence is propagated from the card 2 to the terminal 4, and to the servers 1 0. 
or vice versa. 

In an embodiment of the present invention, the smartcard 2, acting as the 
ultimate thin client, is the relationship card that is leveraged to further the trusted 
25 relationship between a financial institution , such as a bank, and its customers. In 
order to accomplish that, the card mfrastructure supports the required multi- 
functionality and downloadability. An example of such a platform is Java card, 
which encompasses the virtual machine and the supporting class libraries. Fig. 2 
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is a chart which shows a sample of layered hierarchy in the card platform for an 
embodiment of the present invention. A card platform, such as the Java card 
platform, offers a layered hierarchy in its architecture. For example, a Java card 
virtual machine (JVM) 16 sits atop the card operating system 14 that is either 
5 proprietary or open, as in the case of Mondex's MULTOS. 

In an embodiment of the present invention, the term applet means a 
smart card application that is compact in size and downloadable over a public 
network. Referring to Fig. 2, a card architecture such as JVM 16 offers added 
security during runtime by providing bytecode verification to prevent 

10 unauthorized applets from being executed on the card. Bytecode is machine 
independent and is iiilerpreted by the JVM 16. Sitting above the JVM layer 16 
are the foundation class libraries 18, which offer the interface for building Java 
card applications. Such a framework based approach facilitates reuse and enables 
faster time-to-market for the application development. In order to further extend 

15 that vision, industry-specific and application-specific templates 20 are created, 
which are foundation class libraries that can be derived or inherited to produce 
specialized applications. Hence, interoperability is achieved at the card 
application level. Finally, at the top of the hierarchy is a suite of cross-industry 
applications 22 that co-exist harmoniously on the card 2. 

20 In an embodiment of the present invention, a spectrum of terminals and 

access devices 4 have smartcard interfaces. These include ATMs. POS terminals. 
PCs with smartcard readers (either standalone or part of keyboards), personal 
digital assistants (PDAs), set-top boxes, cell phones, cable/satellite TV boxes, and 
various contact/contacUess reader devices. The design provides a coherent 

25 architecture between the card 2 and the terminal 4, such that both card and 
terminal applications can be upgraded simultaneously to allow seamless 
migration. An electronic wallet residing, for example, on a PC or distributed over 
a network offers a vehicle for delivering payment services and information 
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management over the Internet. The smartcard 2 is a natural extension of the 
wallet to physically contain some of the wallet functionalities. The smartcard 2 
evolves as the physical embodiment of the wallet Thus, a certain portion of the 
wallet functionalities are moved to the card 2, while others either stay on the 
5 terminal 4 or browser or move to the server. Distribution of intelligence across 
the network is realized in such a migratory fashion. 

In an embodiment of the present invention, from an architectural 
perspective, the data of a wallet physically resides, for example, on the card 2 or 
in a remote server. The storage location is arranged based on the nature of the 

10 information and the constraint of capacity on the card 2. Regardless of the 
physical location, the information is accessible to the user transparently. In 
situations where the user wishes to have a conscious understanding of the actual 
data location so as to make a proper decision during transactions, the smartcard 
architecture facilitates such a decision-making process. Storing or backing up 

i s critical information on the server is a powerful mechanism to safeguard a 
cardholder's valuable information. 

In an embodiment of the present invention, in the event that the card 2 is 
lost or stolen, a financial institution can confidently issue a new card with the 
original card information (not stored value) restored from the financial 

20 institution's servers. With this recoverability, the customers of the financial 
institution have a peace of mind, knowing that a trusted financial institution is 
securing the information on their behalf. This, in turn, provides market 
differentiation for a financial institution, such as bank, as losing a card has 
become one of the top consumer concerns. In order to enable biometrics-based 

25 verification, a biometric scanning device, such as a fingerprint or hand geometry 
scanner, is installed at the terminal 4. The captured biometric data is compared 
with a reference template on the card 4 to verify the authenticity of the 
cardholder. 
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In an embodiment of the present invention, the front-end systems 6 serve 
as the front end to terminals 4. Their principal responsibility is to offer the 
necessary translation of message protocols between the terminal 4 and back-end 
servers 10. They often play the role of a middleware or gateway in a networking 
5 environment, such that smartcard-ready terminals 4 are transparent to back-end 
legacy systems 10. Networks 8 offer the plumbing in a distributed environment 
Both public (open) and private (proprietary) networks are used in the system. The 
former include, for example, Internet, PLUS, Cirrus, and Star., whereas the latter 
includes, for example, Citishare. 

10 In an embodiment of the present invention, in the financial services 

environment, back-end servers 10 deal with clearing and settlement functions. 
Several back-end services support operations in a dynamic, multi-function 
environment, such as Certificate Authority (CA), Electronic Customization Depot 
(ECD), Electronic Deposit Box (EDB), and Electronic Vault (EV). A financial 

1 5 institution can provide one or more of such services in order to provide market 
differentiation and to further the relationships with its customers. The particular 
services are devised logically according to their functions. More than one service 
can reside physically on the same server 10, depending on business needs and 
design decisions. 

20 In an embodiment of the present invention, Certificate Authority (CA) is a 

trusted third party. It is responsible for issuing certificates to customers, 
merchants, and those who want to conduct public-key based transactions over the 
Internet Secure Electronic Transaction (SET) operations are certificate based 
Thus, die CA inherently becomes an integral part of any secure transaction 

25 process. A financial institution can be a C A in order to maximize interactions 
with its customers. 

In an embodiment of the present invention, an electronic customization 
depot behaves as an applet server and a monitor application server to offer a 
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customer the options to customize the customer's card 2 by adding or deleting 
applets. As an applet server, it is the source for applet download and for card 
restoration. Each monitor application is responsible for establishing secure 
download of applets to the customer's smartcard 2. Load keys, for example, are 
5 stored in the monitor application to facilitate the operation. Counterparts of a 
safety deposit box and vault in the physical world are provided in a virtual world 
electronic deposit box and electronic vault Like a safety deposit box, whose 
purpose is to store customer's valuables in a trusted and secure environment the 
electronic deposit box offers similar services to a financial institution's 
10 customers. 

In an embodiment of the present invention, the financial institution stores 
or backs up valuable information on the smartcard 2 for a customer upon request- 
Collectively, electronic deposit boxes are aggregated within an electronic vault 
In addition to holding customers* valuable information, including electronic 

15 tokens and tickets, an individual electronic deposit box also maintains a software 
inventory of each customer's card 2. With such an inventory, the financial 
institution is able to restore the card applications, for example, from the electronic 
customization depot, for a customer when the card is lost or stolen. 

In an embodiment of die present invention, facilities are provided to 

20 support applications, such as secure dynamic application downloads, which are 
the policies and mechanisms needed to securely install card applications on the 
smartcard 2 after the card has been issued. Other such facilities include on-card * 
application interactions, which are mechanisms for allowing card applications to 
discover and safely interact with each other. Additional such facilities include 

25 off-card application interactions, such as mechanisms for supporting secure 
interactions between on-card and off-card applications and advanced system 
management. On-card applications are frequently referred to as applets. Of 
necessity, applications installed on the smartcard 2 tend to be very small when 
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compared with desktop, terminal, or mainframe applications and hence are called 
applets. 

In an embodiment of the present invention, the smartcard application 
platform meets two overall security goals, namely, to ensure the security and 

5 integrity of the card's system components and to provide applets with scaleable 
mechanisms to ensure their own security and integrity. The overall security 
policy for the card 2 is that only authorized entities may have access to card 
resources; and this access is limited to the activities for which access has been 
granted. In order to insure that security goals of the financial institution are met 

10 the card application platform includes several important elements, two of which 
are a master application and the monitor application. As a special system applet, 
the master application represents the card issuer. It provides global card services, 
including, for example, installing applets on the card 2, personalizing and reading 
global data, managing the card life cycle state, supporting external audits when 

1 5 the card is blocked, and maintaining a map of the monitor applications associated 
with each applet 

In an embodiment of the present invention, the system includes applets 
developed by other applet providers, as well as a financial institution's own 
applets. Thus, the card application platform supports the secure and confidential 

20 installation of applets from multiple providers. In order to support secure 
installation of applets, the financial institution uses monitor applications. A 
monitor application is a special applet supplied by an applet provider. Each 
monitor application controls the installation of a provider's applet or applets. 
There can be multiple monitor applications on a card. Each monitor application 

25 represents a unique cryptographic relationship for a single applet provider. Using 
its unique combination of cryptographic mechanisms and keys, each monitor 
application manages the signature checking and decryption of applets loaded onto 
the card 2. Therefore , the installation and initialization of a monitor application 
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on the card 2 is an essential step to support the secure download of a provider's 
applets. 

Another important aspect of an embodiment of the present invention is the 
installation of the master application on the card 2, which functions in 
5 conjunction with the monitor application.. The master application serves, for 
example, as an arbiter, a gatekeeper, and a message dispatcher on the smartcard 2. 
Direct application-to-application interactions on the card are not permitted. 
Instead, all interactions must go through the master application, serving as the 
arbiter, gatekeeper and message dispatcher on the card 2. The master application 

10 serves as an arbiter during inter-application communications. Any request 

initiated by one application is sent to the roaster application before it is routed to 
its destination application, for example, for preliminary checking to prevent bogus 
requests. Such a request can be, for example, a file access or a service rendition. 
In either case, it is up to the destination or receiving application to decide whether 

15 to honor the request 

The master application serves as a gatekeeper, for example, during 
dynamic application downloading to prevent unauthorized applications from 
being downloaded onto the card 2. In such capacity, the master application, 
working in conjunction with the individual monitor applications, performs 

20 necessary authentication and validation functions to ensure that the downloaded 
application originates from a legitimate source and that the content has not been 
altered. 

The master application serves as a message dispatcher, for example, 
during terminal-to-card interactions. The message dispatching process is a 
25 simple, yet robust, message routing mechanism that ensures timely delivery of 
messages, while incurring little overhead. Each incoming message is routed 
sequentially to each application resident on the card 2, and each such application 
determines whether it is the intended recipient of the message. If so, the 
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particular application processes the message and returns a "success* response. 
Otherwise, the application returns an "error* message, and the master application 
continues to forward the message to other applications on the card 2 t until a 
"success" response is returned. Thereafter, subsequent messages are forwarded to 
5 the last successful application, until the particular application returns an "error" 
message, and the cycle is repeated. 

Another important aspect of an embodiment of the present invention is 
installation of a consolidated identification application (ID application) on the 
card 2. The ID application serves as a single placeholder for all personal profile 

10 related information to avoid duplication of data. When an application requires 
identification related information, the application submits its own identification 
and a clearance level, and the ID application determines the privilege, if any, to 
be given to the requesting application for data access. For example, a health care 
application can access the cardholder's blood type information, while a loyalty 

15 program cannot 

In an embodiment of the present invention, the installation and 
initialization of monitor applications can occur during card initialization. 
However, for maximum flexibility, the financial institution supports downloading 
and installing new monitor applications after the card 2 has been issued. To 

20 support this feature, a root monitor application is installed during card 

initialization and personalization. Subsequently, each downloaded monitor 
application allows the financial institution to download and install specific 
applets. Before the actual download and installation of an applet takes place, the 
appropriate monitor application authorizes the download of the applet Therefore. 

25 before an applet is downloaded, an application identifier (AID) that identifies the 
applet must be registered with the appropriate monitor application, so that it can 
authorize the downloading of the identified applet 
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Fig. 3 is a schematic diagram which amplifies the flow of information 
shown in Fig. 1 and provides further detail regarding the process of selecting and 
securely downloading an applet onto smart card 2 for an embodiment of the 
present invention, Fig. 4 is a flow chart which provides further detail regarding 
5 the process of selecting and securely downloading an applet onto the smartcard 2 
for an embodiment of the present invention. At SI, the smartcard 2 contains an 
applet that verifies the identity of the cardholder 24 with a PIN or a biometric. 
such as a fingerprint At S2, from a selection of service options offered by the 
system, the cardholder 24 selects the option to download a new applet. The card 

i o 2 and the cardholder 24 must both be qualified before the system offers any 
applets for download At S3, the system offers those applets supported by the 
business based on one or more relationships with the cardholder 24 and those 
applets that will fit in the space available on the card 2. 

In an embodiment of the present invention, it is noted that space 

1 5 qualifications imposed on applets must account for the total space needed for each 
applet, including any other applets on which each applet depends. Thus, applets 
may be grouped into clusters. So, if one applet depends on another applet that has 
not yet been installed on the card 2, the card has enough space to accommodate 
all applets that form such a dependency cluster. At S4 f the system presents a list 

20 of qualified applets to the cardholder 24, including, for example, brands that help 
identify the providers of the applets. There are several kinds of disclosures to 
allow the cardholder 24 to make informed decisions during applet selection. 
Some representative examples include the total size of each applet, the space 
available on the card 2, and any other limitations inherent in the card 

25 mfrastructure. For example, once an applet has been installed, it cannot be 
removed, nor can the allocated space be recovered. 

In an embodiment of the present invention, at S5, the cardholder 24 selects 
an applet from the offered applet list At S6, if a monitor application for the 
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selected applet does not exist on the card 2, a new one is downloaded from the 
applet server in the electronic customization depot. At S7, if a new monitor 
application was added to the card, the new monitor application is initialized with 
any necessary key or keys, which are obtained from the security server in the 

5 electronic customization depot At S8, the selected applet is downloaded from the 
applet server in the electronic customization depot 26 and installed, using the 
security mechanism provided by the monitor application and, for example, the 
gatekeeper functionality of the monitor application. At S9, the security server in 
the electronic customization depot 26 supplies the new applet with any key or 

i o keys necessary for its operation. 

In an embodiment of the present invention, if the applet requires any 
customer information, it is obtained from the customer relationship facility 28. If 
the applet requires a digital certificate, it is obtained from the appropriate 
certificate authority 30. At S10, if the cardholder relationship supports it the new 

15 applet is registered in the card software inventory. A copy of the card software 
inventory is maintained in the cardholder's electronic deposit box in the bank's 
electronic vault 32. In addition, the cardholder's electronic deposit box is updated 
with a copy of the applet's operational data, if any, but not any keys or 
certiGcates, which are reissued in the event of a lost card. 

20 In an embodiment of the present invention, in order to create a secure and 

trusted environment, applets are isolated from each other. An applet firewall 
prevents one applet from accessing the contents and behavior of objects owned by 
other applets. However, some applets are allowed to communicate with each 
other in trusted ways. A smartcard, such as the Java card, provides two basic 

25 mechanisms for explicitly sharing objects between applets. One such mechanism 
is restricted sharing, and the other is unrestricted sharing. Restricted sharing 
allows an applet to grant specific other applets access to a shared object. 
Unrestricted sharing allows an applet to grant all other applets access to a shared 
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object. In combination, these two basic mechanisms are used to implement 
selective object sharing. Some applets share selected information and sen' ices. 
For example, a payment applet interacts with a loyalty applet to add loyalty points 
as part of a payment transaction. However, the loyalty applet provider can restrict 
these interactions to applets from certain providers or certain kinds of payment 
applets. To support this kind of selective interoperability, some of the applets 
have a mechanism for shared object registration. 

In an embodiment of the present invention, applets can be downloaded and 
installed on the card 2 after the card has been issued Therefore, an applet that 
already exists on the card 2 does not have any knowledge of a newly installed 
applet until the new applet registers itself with the pre-existing applet. Once the 
new applet identifies itself to the pre-existing applet, the pre-existing applet can 
grant the new applet access to its shared object or objects. Thus, the pre-existing 
applet or sharing applet supports registration of other applets for its shared object 
or objects. 

In an embodiment of the present invention, in order to implement shared 
object registration, the sharing applet grants unrestricted access to a resource 
guardian. The resource guardian controls and grants restricted access to some 
guarded resource or resources, referred to as the sharing applet's shared object or 
objects. Some of the applets can also contain reusable foundation class libraries 
or groups of Java classes that are generic enough to be used by several kinds of 
applets. In order to retain control over the usage of some objects and thereby 
maintain trust, some of these libraries include shared object factories. A shared 
object factory creates a new instance of a library class on request for a specific 
client applet, and registers the new instance for access by the client applet 

In an embodiment of the present invention, some applets share information 
and services. However, giving the cardholder 24 the ability to select and 
dynamically download applets implies that the applets cannot be installed on the 
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card 2 in a predetermined order. For example, a loyalty applet can be designed to 
support interactions with several kinds of payment mechanisms. When a new 
payment mechanism is installed on the card 2, it will likely want to discover 
whether any compatible loyalty applets are already on the card. Therefore, in 
5 order to allow dynamically loaded applets to discover during installation what 
other applets exist on the card 2, the card application platform includes an 
application registry. 

In an embodiment of the present invention, the application registry 
provides a shared object registration mechanism that supports linkage between 

10 applications based on their identification and based on their functionality or 

object-oriented classification. Thus, newly installed applets are able to discover 
whether another applet exists on the card 2 using an AID, and are also be able to 
discover whether any other applet exists on the card that implements a specific 
functional interface or that was derived from a specific base class. 

15 In an embodiment of the present invention, allowing applets to discover 

and link with each other based on their functionality gives them a much more 
flexible alternative to identification alone. It allows them to achieve a level of 
multi-functional integration beyond the simple deployment of multiple functions 
on the smartcard 2. It also allows terminals to dynamically and intelligently adapt 

20 their interactions with the card 2 based on the functionality supported by the 
applications that actually exist on the card. In addition to facilities that support 
on-card interactions, card applications also have services to facilitate interactions 
with off-card applications, whether they reside on the card terminal 4 or on back- 
end systems 10. 

25 In an embodiment of the present invention, security mechanisms related to 

dynamic application download are asymmetric in that they are applied in only one 
direction. A downloaded applet is decrypted and its integrity and authenticity are 
verified before it is installed on the card 2. However, the applets themselves have 
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symmetric mechanisms for security. They have support for example, for data 
encryption and decryption, digital signature generation and verification, and 
message authentication code (MAC) generation and verification. The card 
application platform includes a facility, such as cryptographic foundation classes* 
5 that supports packaging these diverse security mechanisms together for coherent, 
consistent and symmetric use, including services for key generation and key 
management 

In an embodiment of the present invention, as the cardholder 24 puts more 
and more kinds of information on the card 2, the value of the card to the 

10 cardholder naturally increases. Thus, the loss of the card 2 may represent a 

substantial loss for the cardholder 24. To reduce the significance of this loss, the 
system provides a mechanism for recovering the information contained on the 
card 2 in order to re-issue the card in the event of its loss. The financial 
institution provides a secure off-card information storage facility or electronic 

1 5 vault 32 mat contains an electronic deposit box for each cardholder 24. Each 
electronic deposit box contains a copy of the contents of each card that the 
cardholder 24 registers with the bank, including a software inventory of the 
applets installed on the card 2, as well as a copy of the information managed by 
each of the installed applets. 

20 In an embodiment of the present invention, applets of providers other than 

the financial institution can be installed on the card 2. The providers of such 
other applets have a legitimate interest in protecting their security keys and the 
data managed by their applets. In order to support applet data recovery, the 
applets on the card 2 and the electronic vault 32 cooperate by using a secure 

25 protocol for data exchange. In order to support applet provider secrecy, each 
applet uses encryption to prevent the copied data in the vault 32 from being 
examined. These electronic security mechanisms together mimic the physical 
security mechanisms used to store valuables in a safe deposit box. For example. 
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it requires two keys to access the valuables stored in the deposit box, one of 
which belongs to the customer and one of which belongs to the bank. Thus, using 
symmetric mechanisms, each applet is able to produce a blinded copy of its 
information during backup, and consume a blinded copy during restoration. The 

5 electronic vault 32 stores the blinded copy of the information for each applet. 

In an embodiment of the present invention, the smartcard 2 is not limited 
to playing die role of a service provider in a client-server architecture, in which 
interactions between the card 2 and the terminal 4 are initiated by the terminal, 
with the card as a responsive device, but the system provides a more flexible 

10 architectural solution that includes the smartcard. On-card objects are allowed 
for example, to initiate interactions with remote, off-card objects in the context of 
a distributed computing environment which is supported by a card platform, such 
as Java card, with inclusion of, for example, the Java facility for remote method 
invocation (RMI). 

15 in an embodiment of the present invention, in the context of distributed 

objects, mechanisms are provided by the system to support transparent object 
distribution. Thus, on-card objects are able to interact with off-card objects and 
vice-versa without explicit knowledge of their location. Such transparency 
simplifies the system design, allowing greater flexibility in locating objects, and 

20 supports the deployment of migratory objects that can move from one place, such 
as the electronic vault 32, to another, such as the card 2. For example, an 
electronic ticket can be bougjit and stored in the electronic vault 32 until, when il 
is needed for use, it can be moved onto the smartcard 2 to allow off-line 
redemption. 

75 In an embodiment of the present invention, replacement of deployed 

applets is supported by a card platform, such as Java card. Application identifiers 
(AIDs) are assigned and administered. An applet AID can be reused without 
change when deploying a new applet version. Alternatively, but less desirable, is 
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a naming scheme for A IDs that includes a version identifier to guarantee 
uniqueness. A mechanism replaces the objects that have been created for an 
applet, for example, when some of the applet classes have changed their shapes. 
On-card mutation may be difficult or not possible given the card constraints. This 
5 consideration reinforces the value of the electronic vault 32 as a backup facility. 

In an embodiment of the present invention, the old version of an applet 
may be removed entirely, including all its objects, and replaced with the new 
version, and the applet objects restored from backup copies that have been 
mutated in the electronic vault 32. A cleanroom software engineering approach 

i o for applet development applies rigorous process controls to the software 

development process, producing very high quality software, such as six sigma 
quality. The resource constraints of smartcards require that applets must be kept 
relatively small and simple. Thus, the rigorous process requirements of the 
cleanroom approach are not as burdensome as it is on large software projects. 

1 5 Various preferred embodiments of the invention have been described in 

fulfillment of the various objects of the invention It should be recognized mat 
these embodiments are merely illustrative of the principles of the present 
invention. Numerous modifications and adaptations thereof will be readily 
apparent to those skilled in the art without departing from the spirit and scope of 

20 the present invention. Accordingly, the invention is only limited by the following 
claims. 

What is claimed is: 
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1 . A method of managing addition of at least one new application to a 
multi-function smartcard for a cardholder, comprising: 

installing a monitor application for the new application on a 
microcomputer of the smartcard; 
5 authorizing download of the new application by the monitor 

application and by a master application resident on the smartcard; and 

downloading the new application to die smartcard microcomputer. 

2. The method of claim 1 , wherein installing the monitor application 
further comprises downloading the monitor application from a server. 

10 3. The method of claim 2. wherein the server further comprises an 

electronic customization depot 

4. The method of claim 3, wherein the electronic customization depot 
further comprises functionalities of at least one of an applet server and a monitor 
application server. 

15 5. The method of claim I, wherein installing the monitor application 

further comprises downloading the monitor application at a terminal. 

6. The method of claim 5. wherein the terminal further comprises a 
smartcard access device selected from a group consisting of an automated teller 
machine, a merchant terminal, a personal computer, a personal digital assistant a 

20 TV set-top box, land phone, a cell phone, a digital phone, a cable TV box, a 

satellite TV box, a contact reader, a contactless reader, and a combination contact 
and contactless reader. 

7. The method of claim 6, wherein downloading the new application 
further comprises downloading an application consisting of at least a portion of a 

25 plurality of functionalities for an electronic wallet from a server connected to the 
terminal, while allowing other portions of the functionalities for the electronic 
wallet to remain on at least one of the terminal and the server in a migratory 
fashion. 
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8. The method of claim 1 , wherein installing the monitor application 
further comprises downloading the monitor application over a network. 

9. The method of claim 8. wherein the network further comprises at 
least one of a public network and a proprietary network. 

S 10. The method of claim 1 , wherein authorizing the download further 

comprises initializing the monitor application. 

1 1 . The method of claim 1 0, wherein initializing the monitor 
application further comprises initializing the monitor application with a key 
provided by a server. 

io 12. The method of claim I, wherein authorizing the download further 

comprises registering an application identifier for the new application with the 

monitor application. 

13. The method of claim 1, wherein downloading the new application 

further comprises verifying identification of the cardholder. 
15 14. The method of claim 1 3, wherein verifying the identification 

further comprises verifying the identification by an application on the smartcard 

microcomputer. 

15. The method of claim 14, wherein verifying the identification 
further comprises verifying the identification with a PEN of the cardholder. 
20 16. The method of claim 14, wherein verifying the identification 

further comprises verifying the identification with biometric data of the 
cardholder. 

1 7. The method of claim 1 6, wherein verifying with the identification 
further comprises verifying the biometric data with a scanner at a terminal. 
25 18. The method of claim 1 7, wherein verifying the biometric data 

further comprises comparing the biometric data with a reference template on the 
smartcard microcomputer. 
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1 9. The method of claim 1 8, wherein the biometric data further 
comprises fingerprint data for the cardholder. 

20. The method of claim 1 , wherein downloading the new application 
further comprises authenticating the smart card 

5 21. The method of claim 20, wherein authenticating the smartcard 

further comprises authenticating the smartcard by a server. 

22. The method of claim 1 , wherein downloading the new application 
further comprises offering a selection of service options to the cardholder. 

23 . The method of claim 22. wherein downloading the new application 
to further comprises selecting a service option to download a new application by the 

cardholder. 

24. The method of claim 1 , wherein downloading the new application 
further comprises offering a list of qualified new applications to the cardholder. 

25. The method of claim 24, wherein the list of qualified new 

15 applications further comprises a plurality of new applications according to pre- 
defined parameters. 

26. The method of claim 25. wherein the pre-defined parameters 
comprise at least one of a new application supported by business based on a 
relationship with the cardholder and a new application that fits in space available 

20 on the smartcard microcomputer. 

27. The method of claim 26, wherein the pre-defined parameters 
further comprises the new application which, together with any other applications 
on which the application depends, fits as a dependency cluster in space available 
on the smartcard microcomputer. 

25 28. The method of claim 24, wherein downloading the new application 

further comprises selecting the new application from the list of applications by the 
cardholder. 
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29. The method of claim 1, wherein downloading the new application 
further comprises downloading the new application from a server. 

30. The method of claim 29, wherein the server further comprises an 
electronic customization depot. 

5 31. The method of claim 30, wherein the electronic customization 

depot further comprises functionalities of at least one of an applet server and a 
monitor application server. 

32. The method of claim 1, wherein downloading the new application 
further comprises downloading the new application at a terminal. 

10 33 . The method of claim 32, wherein the terminal further comprises a 

smartcard access device selected from a group consisting of an automated teller 
machine, a merchant terminal, a personal computer, a personal digital assistant a 
TV set-top box, a land phone, a cell phone, a digital phone, a cable TV box. a 
satellite TV box, a contact reader, a contactless reader, and a combination contact 

15 and contactless reader. 

34. The method of claim L wherein downloading the new application 
further comprises downloading the new application over a network. 

35. The method of claim 34, wherein the network further comprises at 
least one of a public network and a proprietary network. 

20 36. The method of claim 1 , wherein downloading the new application 

further comprises installing the new application on the smartcard microcomputer. 

37. The method of claim 36, wherein installing the new application 
further comprises installing the new application using a security mechanism of 
the monitor application. 
25 38. The method of claim 36, wherein installing the new application 

further comprises supplying die new application with an operation key. 

39. The method of claim 36, wherein installing the new application 
further comprises supplying the new application with cardholder information. 
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40. The method of claim 36, wherein installing the new application 
further comprises supplying the new application with digital certificate. 

4 1 . The method of claim 36, wherein installing the new application 
further comprises registering the new application in a software registry of the 

5 smartcard. 

42. The method of claim 4 1 , wherein registering the new application 
further comprises registering the new application according to an object-oriented 
classification of the software registry. 

43. The method of claim 41, wherein registering the new application 
10 further comprises furnishing a copy of the srnartcard software registry to an 

electronic deposit box. 

44. The method of claim 43. wherein furnishing a copy further 
comprises updating the electronic deposit box with a copy of operational data for 
the new application. 

15 45. The method of claim 36, wherein installing the new appl ication 

further comprises selectively sharing at least one object of the new application 
with at least one object of another application on the srnartcard. 

46. The method of claim 45 ; wherein selectively sharing further 
comprises at least one of restricted sharing of the object by the new application 

20 and unrestricted sharing by the new application. 

47. A system for securely adding at least one new application to a 
multi-function srnartcard for a cardholder, comprising: 

means for installing a monitor application for the new application 
on a microcomputer of the smartcard; 
25 means for associated with the installing means for authorizing 

download of the new application by the monitor application and by a master 
application resident on the smartcard; and 
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means associated with the authorizing means for downloading the 
new application to the smartcard microcomputer. 

48. The system of claim 47. wherein the installing means further 
comprises means for downloading the monitor application from a server. 
5 49. The system of claim 48, wherein the server further comprises an 

electronic customization depot 

50. The system of claim 49, wherein the electronic customization depot 
further comprises functionalities of at least one of an applet server and a monitor 
application server. 

io 51. The system of claim 48. the means for downloading the monitor 

application further comprises a terminal communicating with the server over a 
network. 

52. The system of claim 47, wherein the means for downloading the 
new application further comprises a server. 
15 53. The system of claim 52, wherein the server further comprises a an 

electronic customization depot 

54. The system of claim 53 ? wherein the electronic customization depot 
further comprises functionalities of at least one of an applet server and a monitor 
application server. 

20 55. The system of claim 52, wherein the means for downloading the 

new application further comprises a terminal communicating with the server over 
a network. 
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A method and system for managing applications for a multi-function 
smartcard makes use of a resident master application and one or more monitor 

s applications installed on the smartcard microcomputer to authorize downloading 
of new applications to the smartcard and to manage applications on the smartcard. 
New applications are installed on the smartcard using a security mechanism of the 
monitor application. When a new application is installed, it is provided for 
example, with an operation key, cardholder information, and a digital certificate. 

10 The new application is registered in a software registry of the smartcard according 
to an object-oriented classification, a copy of the registry is stored in an electronic 
deposit box, and the electronic deposit box is updated with operational data for 
the new application. The new application selectively shares one or more objects 
with objects of other applications on the smartcard on a restricted or unrestricted 

IS basis. 
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